You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/21 15:03:18 UTC
[01/18] directory-kerby git commit: DIRKRB-551 - Data type conversion
between GSSAPI interface and Kerby. Thanks to Wei Zhou.
Repository: directory-kerby
Updated Branches:
refs/heads/trunk c70d5c934 -> cc107ac19
DIRKRB-551 - Data type conversion between GSSAPI interface and Kerby. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/d58e3423
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/d58e3423
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/d58e3423
Branch: refs/heads/trunk
Commit: d58e3423e917326a3ff5aabe1ddcf1c564db2059
Parents: c70d5c9
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:44:45 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:45:07 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/client/ClientUtil.java | 9 +-
kerby-kerb/kerb-gssapi/pom.xml | 41 ++
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 383 +++++++++++++++++++
kerby-kerb/pom.xml | 1 +
4 files changed, 431 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d58e3423/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
index a78e19c..d822431 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
@@ -40,12 +40,15 @@ public final class ClientUtil {
/**
* Load krb5.conf from specified conf dir.
- * @param confDir The conf dir
+ * @param conf The conf file or dir, default file name 'krb5.conf' is used if dir
* @return KrbConfig
* @throws KrbException e
*/
- public static KrbConfig getConfig(File confDir) throws KrbException {
- File confFile = new File(confDir, KRB5_FILE_NAME);
+ public static KrbConfig getConfig(File conf) throws KrbException {
+ if (!conf.exists()) {
+ throw new KrbException(conf + " not found");
+ }
+ File confFile = conf.isDirectory() ? new File(conf, KRB5_FILE_NAME) : conf;
if (!confFile.exists()) {
throw new KrbException(KRB5_FILE_NAME + " not found");
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d58e3423/kerby-kerb/kerb-gssapi/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/pom.xml b/kerby-kerb/kerb-gssapi/pom.xml
new file mode 100644
index 0000000..fd69078
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/pom.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. See accompanying LICENSE file.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerby-kerb</artifactId>
+ <version>1.0.0-RC3-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>kerb-gssapi</artifactId>
+
+ <name>Kerby-kerb GssAPI</name>
+ <description>Kerby-kerb GSSAPI Implementation</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-crypto</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-client</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+</project>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d58e3423/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
new file mode 100644
index 0000000..61eeb8d
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
@@ -0,0 +1,383 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.GSSException;
+
+import javax.crypto.SecretKey;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Date;
+import java.util.List;
+
+/**
+ * Some utility functions to translate types between GSS and Kerby
+ */
+public class KerbyUtil {
+ private static final int KERBEROS_TICKET_NUM_FLAGS = 32; // KerberosTicket.NUM_LENGTH
+
+ /**
+ * Construct TgtTicket from info contained in KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static TgtTicket getTgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ byte[] asn1Encoded = kerberosTicket.getEncoded();
+ Ticket ticket = getTicketFromAsn1Encoded(asn1Encoded);
+
+ EncAsRepPart encAsRepPart = new EncAsRepPart();
+ fillEncKdcRepPart(encAsRepPart, kerberosTicket);
+
+ TgtTicket tgt = new TgtTicket(ticket, encAsRepPart, clientPrincipal);
+ return tgt;
+ }
+
+ /**
+ * Init encKdcRepPart members with info from kerberosTicket
+ * @param encKdcRepPart
+ * @param kerberosTicket
+ */
+ public static void fillEncKdcRepPart(EncKdcRepPart encKdcRepPart, KerberosTicket kerberosTicket) {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ SecretKey secretKey = kerberosTicket.getSessionKey();
+ int keyType = kerberosTicket.getSessionKeyType();
+ EncryptionKey key = new EncryptionKey(keyType, secretKey.getEncoded());
+ encKdcRepPart.setKey(key);
+
+ encKdcRepPart.setSname(clientPrincipal);
+ Date authTimeDate = kerberosTicket.getAuthTime();
+ if (authTimeDate != null) {
+ encKdcRepPart.setAuthTime(new KerberosTime(authTimeDate.getTime()));
+ }
+ Date startTimeDate = kerberosTicket.getStartTime();
+ if (startTimeDate != null) {
+ encKdcRepPart.setStartTime(new KerberosTime(startTimeDate.getTime()));
+ }
+ KerberosTime endTime = new KerberosTime(kerberosTicket.getEndTime().getTime());
+ encKdcRepPart.setEndTime(endTime);
+
+
+ InetAddress[] clientAddresses = kerberosTicket.getClientAddresses();
+ HostAddresses hostAddresses = null;
+ if (clientAddresses != null) {
+ hostAddresses = new HostAddresses();
+ for (InetAddress iAddr : clientAddresses) {
+ hostAddresses.add(new HostAddress(iAddr));
+ }
+ }
+ encKdcRepPart.setCaddr(hostAddresses);
+
+ boolean[] tf = kerberosTicket.getFlags();
+ TicketFlags ticketFlags = getTicketFlags(tf);
+ encKdcRepPart.setFlags(ticketFlags);
+
+
+ /* encKdcRepPart.setKeyExpiration();
+ encKdcRepPart.setLastReq();
+ encKdcRepPart.setNonce(); */
+
+ Date renewTillDate = kerberosTicket.getRenewTill();
+ KerberosTime renewTill = renewTillDate == null ? null : new KerberosTime(renewTillDate.getTime());
+ encKdcRepPart.setRenewTill(renewTill);
+
+ String serverRealm = kerberosTicket.getServer().getRealm();
+ encKdcRepPart.setSrealm(serverRealm);
+ }
+
+ /**
+ * Generate TicketFlags instance from flags
+ * @param flags each item in flags identifies an bit setted or not
+ * @return
+ */
+ public static TicketFlags getTicketFlags(boolean[] flags) {
+ if (flags == null || flags.length != KERBEROS_TICKET_NUM_FLAGS) {
+ return null;
+ }
+ int value = 0;
+ for (boolean flag : flags) {
+ value = (value << 1) + (flag ? 1 : 0);
+ }
+ return new TicketFlags(value);
+ }
+
+ /**
+ * Decode each flag in ticketFlags into an boolean array
+ * @param ticketFlags
+ * @return
+ */
+ public static boolean[] ticketFlagsToBooleans(TicketFlags ticketFlags) {
+ boolean[] ret = new boolean[KERBEROS_TICKET_NUM_FLAGS];
+ int value = ticketFlags.getFlags();
+ for (int i = 0; i < KERBEROS_TICKET_NUM_FLAGS; i++) {
+ ret[KERBEROS_TICKET_NUM_FLAGS - i - 1] = (value & 0x1) != 0;
+ value = value >> 1;
+ }
+ return ret;
+ }
+
+ /**
+ * Construct a Ticket from bytes encoded by Asn1
+ * @param encoded
+ * @return
+ * @throws GSSException
+ */
+ public static Ticket getTicketFromAsn1Encoded(byte[] encoded) throws GSSException {
+ Ticket ticket = new Ticket();
+ ByteBuffer byteBuffer = ByteBuffer.wrap(encoded);
+ try {
+ ticket.decode(byteBuffer);
+ return ticket;
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ /**
+ * Construct a SgtTicket from KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static SgtTicket getSgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ if (kerberosTicket == null) {
+ return null;
+ }
+
+ Ticket ticket = getTicketFromAsn1Encoded(kerberosTicket.getEncoded());
+
+ EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
+ fillEncKdcRepPart(encTgsRepPart, kerberosTicket);
+
+ SgtTicket sgt = new SgtTicket(ticket, encTgsRepPart);
+ return sgt;
+ }
+
+ /**
+ * Apply SgtTicket by sending TGS_REQ to KDC
+ * @param ticket
+ * @param service
+ * @return
+ */
+ public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
+ TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
+ return applySgtCredential(tgt, service);
+ }
+
+ public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
+ KrbClientBase client = getKrbClient();
+
+ SgtTicket sgt = null;
+ try {
+ client.init();
+ sgt = client.requestSgt(tgt, server);
+ return sgt;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ public static KerberosTicket convertKrbTicketToKerberosTicket(KrbTicket krbTicket, String clientName)
+ throws GSSException {
+ byte[] asn1Encoding;
+ try {
+ asn1Encoding = krbTicket.getTicket().encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+
+ byte[] sessionKey = krbTicket.getSessionKey().getKeyData();
+ int keyType = krbTicket.getSessionKey().getKeyType().getValue();
+
+ EncKdcRepPart encKdcRepPart = krbTicket.getEncKdcRepPart();
+ KerberosPrincipal client = new KerberosPrincipal(clientName);
+
+ PrincipalName serverPrinc = krbTicket.getTicket().getSname();
+ String serverName = serverPrinc.getName() + "@" + krbTicket.getTicket().getRealm();
+ KerberosPrincipal server = new KerberosPrincipal(serverName, serverPrinc.getNameType().getValue());
+
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ boolean[] flags = ticketFlagsToBooleans(ticketFlags);
+
+ Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
+ Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
+ Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
+ Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
+
+ InetAddress[] clientAddresses = null;
+ List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
+ if (hostAddresses != null) {
+ int i = 0;
+ clientAddresses = new InetAddress[hostAddresses.size()];
+ for (HostAddress hostAddr : hostAddresses) {
+ try {
+ InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
+ clientAddresses[i++] = iAddr;
+ } catch (UnknownHostException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
+ }
+ }
+ }
+
+ KerberosTicket ticket = new KerberosTicket(
+ asn1Encoding,
+ client,
+ server,
+ sessionKey,
+ keyType,
+ flags,
+ authTime,
+ startTime,
+ endTime,
+ renewTill,
+ clientAddresses
+ );
+ return ticket;
+ }
+
+ public static byte[] getAPRequest(PrincipalName clientPricipal, SgtTicket sgt) throws GSSException {
+ ApRequest apRequest = new ApRequest(clientPricipal, sgt);
+ try {
+ return apRequest.getApReq().encode();
+ } catch (Exception e) { // IOExcetpion, KrbException
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
+ }
+ }
+
+ public static KrbClientBase getKrbClient() {
+ KrbClientBase client;
+ try {
+ File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
+ if (confSpecified != null) {
+ client = new KrbClientBase(confSpecified);
+ } else {
+ client = new KrbClientBase(); // get configure file from environment variable or default path
+ }
+
+ return client;
+ } catch (KrbException e) {
+ return null;
+ }
+ }
+
+ public static EncryptionKey[] convertKerberosKeyToEncryptionKey(KerberosKey[] krbKeys) {
+ if (krbKeys == null) {
+ return null;
+ }
+ EncryptionKey[] keys = new EncryptionKey[krbKeys.length];
+ int i = 0;
+ for (KerberosKey krbKey : krbKeys) {
+ keys[i++] = new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ return keys;
+ }
+
+ /**
+ * Filter out an appropriate KerberosKey from krbKeys and generate a
+ * EncryptionKey accordingly
+ *
+ * @param krbKeys
+ * @param encType
+ * @param kvno
+ * @return
+ */
+ public static EncryptionKey getEncryptionKey(KerberosKey[] krbKeys, int encType, int kvno) {
+ if (krbKeys == null) {
+ return null;
+ }
+ for (KerberosKey krbKey : krbKeys) {
+ if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
+ return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get value of predefined system property
+ * @param name
+ * @return
+ */
+ private static String getSystemProperty(String name) {
+ if (name == null) {
+ return null;
+ }
+
+ final String propertyName = name;
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<String>() {
+ public String run() {
+ return System.getProperty(propertyName);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ return null; // ignored
+ }
+ }
+
+ public static com.sun.security.jgss.AuthorizationDataEntry[]
+ kerbyAuthorizationDataToJgssAuthorizationDataEntries(AuthorizationData authData) {
+ if (authData == null) {
+ return null;
+ }
+ List<AuthorizationDataEntry> kerbyEntries = authData.getElements();
+ com.sun.security.jgss.AuthorizationDataEntry[] entries =
+ new com.sun.security.jgss.AuthorizationDataEntry[kerbyEntries.size()];
+ for (int i = 0; i < kerbyEntries.size(); i++) {
+ entries[i] = new com.sun.security.jgss.AuthorizationDataEntry(
+ kerbyEntries.get(i).getAuthzType().getValue(),
+ kerbyEntries.get(i).getAuthzData());
+ }
+ return entries;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/d58e3423/kerby-kerb/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/pom.xml b/kerby-kerb/pom.xml
index 118dfef..d795f27 100644
--- a/kerby-kerb/pom.xml
+++ b/kerby-kerb/pom.xml
@@ -41,5 +41,6 @@
<module>kerb-simplekdc</module>
<module>kerb-client-api-all</module>
<module>kerb-server-api-all</module>
+ <module>kerb-gssapi</module>
</modules>
</project>
[16/18] directory-kerby git commit: PMD fix
Posted by co...@apache.org.
PMD fix
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/1e30df40
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/1e30df40
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/1e30df40
Branch: refs/heads/trunk
Commit: 1e30df40637e68ad1af472cb6ffa90c6473f3b2f
Parents: ee2e516
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 15:14:12 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 15:14:12 2017 +0100
----------------------------------------------------------------------
kerby-kerb/kerb-gssapi/pom.xml | 2 +-
.../java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1e30df40/kerby-kerb/kerb-gssapi/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/pom.xml b/kerby-kerb/kerb-gssapi/pom.xml
index fd69078..9918b92 100644
--- a/kerby-kerb/kerb-gssapi/pom.xml
+++ b/kerby-kerb/kerb-gssapi/pom.xml
@@ -18,7 +18,7 @@
<parent>
<groupId>org.apache.kerby</groupId>
<artifactId>kerby-kerb</artifactId>
- <version>1.0.0-RC3-SNAPSHOT</version>
+ <version>1.0.1-SNAPSHOT</version>
</parent>
<artifactId>kerb-gssapi</artifactId>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1e30df40/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
index 8f4cae4..3161e2f 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
@@ -19,7 +19,6 @@
*/
package org.apache.kerby.kerberos.kerb.gss.impl;
-import org.apache.kerby.kerberos.kerb.Message;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.MessageProp;
[03/18] directory-kerby git commit: DIRKRB-559 - Validataion of ApReq
and ApRep message in peer node. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-559 - Validataion of ApReq and ApRep message in peer node. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2c1f222f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2c1f222f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2c1f222f
Branch: refs/heads/trunk
Commit: 2c1f222f3c062ec9a628e8956eef950f58864fc7
Parents: b81a39b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:46:11 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:46:11 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 37 +++++++++++++++++
.../kerberos/kerb/response/ApResponse.java | 42 ++++++++++++++++----
.../kerby/kerberos/kerb/type/KerberosTime.java | 22 ++++++++++
3 files changed, 94 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2c1f222f/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 82666a6..096b0de 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -29,12 +29,15 @@ import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import java.net.InetAddress;
+
/**
* A wrapper for ApReq request
* The client principal and sgt ticket are needed to create ApReq message.
@@ -118,6 +121,40 @@ public class ApRequest {
}
/*
+ * Validate the ApReq with channel binding and time
+ */
+ public static void validate(EncryptionKey encKey, ApReq apReq,
+ InetAddress initiator,
+ long timeSkew) throws KrbException {
+ validate(encKey, apReq);
+ Ticket ticket = apReq.getTicket();
+ EncTicketPart tktEncPart = ticket.getEncPart();
+ Authenticator authenticator = apReq.getAuthenticator();
+ if (initiator != null) {
+ HostAddresses clientAddrs = tktEncPart.getClientAddresses();
+ if (clientAddrs != null && !clientAddrs.contains(initiator)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
+ }
+ }
+
+ if (timeSkew != 0) {
+ if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
+ }
+
+ KerberosTime now = KerberosTime.now();
+ KerberosTime startTime = tktEncPart.getStartTime();
+ if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
+ }
+
+ if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
+ }
+ }
+ }
+
+ /*
* Unseal the authenticator through the encryption key from ticket
*/
public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2c1f222f/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
index 2d01004..344fe83 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
@@ -19,12 +19,13 @@
*/
package org.apache.kerby.kerberos.kerb.response;
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.request.ApRequest;
-import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -43,8 +44,14 @@ public class ApResponse {
this.encryptionKey = encryptionKey;
}
+ public ApResponse(ApReq apReq) {
+ this.apReq = apReq;
+ }
+
public ApRep getApRep() throws KrbException {
- ApRequest.validate(encryptionKey, apReq);
+ if (encryptionKey != null) {
+ ApRequest.validate(encryptionKey, apReq);
+ }
if (apRep == null) {
apRep = makeApRep();
@@ -64,17 +71,38 @@ public class ApResponse {
ApRep apRep = new ApRep();
EncAPRepPart encAPRepPart = new EncAPRepPart();
+
+ Authenticator auth = apReq.getAuthenticator();
// This field contains the current time on the client's host.
- encAPRepPart.setCtime(KerberosTime.now());
+ encAPRepPart.setCtime(auth.getCtime());
// This field contains the microsecond part of the client's timestamp.
- encAPRepPart.setCusec((int) KerberosTime.now().getTimeInSeconds());
- encAPRepPart.setSubkey(apReq.getAuthenticator().getSubKey());
+ encAPRepPart.setCusec(auth.getCusec());
+ encAPRepPart.setSubkey(auth.getSubKey());
encAPRepPart.setSeqNumber(0);
apRep.setEncRepPart(encAPRepPart);
- EncryptedData encPart = EncryptionUtil.seal(encAPRepPart,
- apReq.getAuthenticator().getSubKey(), KeyUsage.AP_REP_ENCPART);
+ EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART);
apRep.setEncryptedEncPart(encPart);
return apRep;
}
+
+ /**
+ * Validation for KRB_AP_REP message
+ * @param encKey key used to encrypt encrypted part of KRB_AP_REP message
+ * @param apRep KRB_AP_REP message received
+ * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server
+ * @throws KrbException
+ */
+ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException {
+ EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(),
+ encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class);
+ apRep.setEncRepPart(encPart);
+ if (apReqSent != null) {
+ Authenticator auth = apReqSent.getAuthenticator();
+ if (!encPart.getCtime().equals(auth.getCtime())
+ || encPart.getCusec() != auth.getCusec()) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL);
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2c1f222f/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
index c89b0cc..e3da3b1 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
@@ -107,6 +107,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
/**
* Compare the KerberosTime with another one, and return <tt>true</tt>
+ * if it's lesser than the provided one with time skew
+ * @param ktime
+ * @param skew Maximum time skew in milliseconds
+ * @return <tt>true</tt> if less
+ */
+ public boolean lessThanWithSkew(KerberosTime ktime, long skew) {
+ return diff(ktime) - skew <= 0;
+ }
+
+ /**
+ * Compare the KerberosTime with another one, and return <tt>true</tt>
* if it's greater than the provided one
*
* @param ktime compare with milliseconds
@@ -117,6 +128,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
}
/**
+ * Compare the KerberosTime with another one, and return <tt>true</tt>
+ * if it's greater than the provided one with time skew
+ * @param ktime
+ * @param skew Maximum time skew in milliseconds
+ * @return <tt>true</tt> if greater
+ */
+ public boolean greaterThanWithSkew(KerberosTime ktime, long skew) {
+ return diff(ktime) + skew >= 0;
+ }
+
+ /**
* Check if the KerberosTime is within the provided clock skew
*
* @param clockSkew The clock skew
[05/18] directory-kerby git commit: DIRKRB-565 - Implement Gss tokens
defined in RFC 4121. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-565 - Implement Gss tokens defined in RFC 4121. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/33b0a728
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/33b0a728
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/33b0a728
Branch: refs/heads/trunk
Commit: 33b0a728dd544268560c1c4c0252b0c5278810a1
Parents: 0602444
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:47:22 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:47:22 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 10 +
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 138 +++++++++
.../kerb/gssapi/krb5/KerbyGssTokenBase.java | 59 ++++
.../kerb/gssapi/krb5/KerbyGssTokenV2.java | 282 +++++++++++++++++++
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 1 -
.../kerberos/kerb/gssapi/krb5/MicTokenV2.java | 94 +++++++
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 154 ++++++++++
7 files changed, 737 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index e017683..b450cc9 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -86,6 +86,8 @@ public class KerbyContext implements GSSContextSpi {
private TicketFlags ticketFlags;
private ApReq outApReq;
+ private KerbyGssEncryptor gssEncryptor;
+
// Called on initiator's side.
public KerbyContext(GSSCaller caller, KerbyNameElement peerName, KerbyCredElement myCred,
int lifeTime)
@@ -294,11 +296,13 @@ public class KerbyContext implements GSSContextSpi {
ctxState = STATE_ESTABLISHING;
if (!getMutualAuthState()) {
+ gssEncryptor = new KerbyGssEncryptor(getSessionKey());
ctxState = STATE_ESTABLISHED;
}
} else if (ctxState == STATE_ESTABLISHING) {
verifyServerToken(is, mechTokenSize);
+ gssEncryptor = new KerbyGssEncryptor(getSessionKey());
outApReq = null;
ctxState = STATE_ESTABLISHED;
}
@@ -389,6 +393,8 @@ public class KerbyContext implements GSSContextSpi {
ret = verifyClientToken(acceptCred, is, mechTokenSize);
}
+ gssEncryptor = new KerbyGssEncryptor(getSessionKey());
+
myCred = null;
ctxState = STATE_ESTABLISHED;
}
@@ -607,4 +613,8 @@ public class KerbyContext implements GSSContextSpi {
return peerSequenceNumber++;
}
}
+
+ public KerbyGssEncryptor getGssEncryptor() {
+ return gssEncryptor;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
new file mode 100644
index 0000000..d65346b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
@@ -0,0 +1,138 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.ietf.jgss.GSSException;
+
+/**
+ * This class implements encryption related function used in GSS tokens
+ */
+public class KerbyGssEncryptor {
+
+ private EncryptionKey encKey;
+ private boolean isV2 = false;
+
+ public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
+ encKey = key;
+ EncryptionType keyType = key.getKeyType();
+ // TODO: add support for other algorithms
+ if (keyType == EncryptionType.AES128_CTS_HMAC_SHA1_96
+ || keyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ isV2 = true;
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Invalid encryption type: " + key.getKeyType().getDisplayName());
+ }
+ }
+
+ /**
+ * Return true if it is encryption type defined in RFC 4121
+ * @return
+ */
+ public boolean isV2() {
+ return isV2;
+ }
+
+ public byte[] encryptData(byte[] tokenHeader, byte[] data,
+ int offset, int len, int keyUsage) throws GSSException {
+ byte[] ret;
+ byte[] toProcess = new byte[tokenHeader.length + len];
+ System.arraycopy(data, offset, toProcess, 0, len);
+ System.arraycopy(tokenHeader, 0, toProcess, len, tokenHeader.length);
+
+ ret = encryptData(toProcess, keyUsage);
+ return ret;
+ }
+
+ public byte[] encryptData(byte[] toProcess, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.encrypt(toProcess, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] decryptData(byte[] dataEncrypted, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.decrypt(dataEncrypted, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] calculateCheckSum(byte[] header, byte[] data, int offset, int len, int keyUsage)
+ throws GSSException {
+ int totalLen = len + (header == null ? 0 : header.length);
+ byte[] buffer = new byte[totalLen];
+ System.arraycopy(data, offset, buffer, 0, len);
+ if (header != null) {
+ System.arraycopy(header, 0, buffer, len, header.length);
+ }
+
+ try {
+ return getCheckSumHandler().checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in checksum calculation:" + encKey.getKeyType().getName());
+ }
+ }
+
+ private CheckSumTypeHandler getCheckSumHandler() throws GSSException {
+ CheckSumType checkSumType;
+ if (encKey.getKeyType() == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumType = CheckSumType.HMAC_SHA1_96_AES128;
+ } else if (encKey.getKeyType() == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumType = CheckSumType.HMAC_SHA1_96_AES256;
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Unsupported checksum encryption type:" + encKey.getKeyType().getName());
+ }
+ try {
+ return CheckSumHandler.getCheckSumHandler(checkSumType);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Unsupported checksum type:" + checkSumType.getName());
+ }
+ }
+
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return getCheckSumHandler().cksumSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
new file mode 100644
index 0000000..ae5122f
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+public abstract class KerbyGssTokenBase {
+ public static final int TOKEN_WRAP_V1 = 0x201;
+ public static final int TOKEN_MIC_V1 = 0x101;
+ public static final int TOKEN_WRAP_V2 = 0x504;
+ public static final int TOKEN_MIC_V2 = 0x404;
+
+ public void writeBigEndian(byte[] buf, int offset, int value) {
+ buf[offset] = (byte) (value >>> 24);
+ buf[offset + 1] = (byte) (value >>> 16);
+ buf[offset + 2] = (byte) (value >>> 8);
+ buf[offset + 3] = (byte) (value);
+ }
+
+ public int readBigEndian(byte[] buf, int offset) {
+ int value = 0;
+ value += (buf[offset] & 0xFF) << 24;
+ value += (buf[offset + 1] & 0xFF) << 16;
+ value += (buf[offset + 2] & 0xFF) << 8;
+ value += buf[offset + 3] & 0xFF;
+ return value;
+ }
+
+ /**
+ *
+ * @param buf
+ * @param offset
+ * @param len should not be larger than sizeof(int)
+ * @return
+ */
+ public int readBigEndian(byte[] buf, int offset, int len) {
+ int value = 0;
+ for (int i = 0; i < len; i++) {
+ value += (buf[offset + i] & 0xFF) << 8;
+ }
+ return value;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
new file mode 100644
index 0000000..f2d220a
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
@@ -0,0 +1,282 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 4121.
+ */
+abstract class KerbyGssTokenV2 extends KerbyGssTokenBase {
+ public static final int CONFOUNDER_SIZE = 16;
+ public static final int TOKEN_HEADER_SIZE = 16;
+ private static final int OFFSET_EC = 4;
+ private static final int OFFSET_RRC = 6;
+
+ // context states
+ private boolean isInitiator = true;
+ private boolean acceptorSubKey = false;
+ private boolean confState = true;
+ private int sequenceNumber;
+
+ // token data
+ protected int tokenType;
+ private byte[] header = new byte[TOKEN_HEADER_SIZE];
+ protected byte[] tokenData;
+
+ protected byte[] checkSum;
+ private int ec;
+ private int rrc;
+
+ static final int KG_USAGE_ACCEPTOR_SEAL = 22;
+ static final int KG_USAGE_ACCEPTOR_SIGN = 23;
+ static final int KG_USAGE_INITIATOR_SEAL = 24;
+ static final int KG_USAGE_INITIATOR_SIGN = 25;
+ private int keyUsage;
+
+ private static final int FLAG_SENT_BY_ACCEPTOR = 1;
+ private static final int FLAG_SEALED = 2;
+ private static final int FLAG_ACCEPTOR_SUBKEY = 4;
+
+ protected KerbyGssEncryptor encryptor;
+
+
+ // Create a new token
+ KerbyGssTokenV2(int tokenType, KerbyContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ }
+
+ private void initialize(int tokenType, KerbyContext context, boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.acceptorSubKey = context.getKeyComesFrom() == KerbyContext.ACCEPTOR_SUBKEY;
+ this.confState = context.getConfState();
+
+ boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
+ if (tokenType == TOKEN_WRAP_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
+ }
+
+ encryptor = context.getGssEncryptor();
+
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ }
+ }
+
+ // Reconstruct token from bytes received
+ KerbyGssTokenV2(int tokenType, KerbyContext context,
+ MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
+ }
+
+ // Reconstruct token from input stream
+ KerbyGssTokenV2(int tokenType, KerbyContext context,
+ MessageProp prop, InputStream is) throws GSSException {
+ initialize(tokenType, context, true);
+
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ reconstructTokenHeader(prop, is);
+
+ int minSize;
+ if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
+ minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
+ } else {
+ minSize = encryptor.getCheckSumSize();
+ }
+
+ try {
+ int tokenLen = is.available();
+
+ if (tokenType == TOKEN_MIC_V2) {
+ tokenLen = minSize;
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ if (tokenLen >= minSize) {
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
+ }
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ tokenData = rotate(tokenData);
+ }
+
+ if (tokenType == TOKEN_MIC_V2
+ || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
+ int checksumLen = encryptor.getCheckSumSize();
+
+ if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
+ }
+
+ checkSum = new byte[checksumLen];
+ System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
+ }
+ }
+
+ private byte[] rotate(byte[] data) {
+ int dataLen = data.length;
+ if (rrc % dataLen != 0) {
+ rrc = rrc % dataLen;
+ byte[] newBytes = new byte[dataLen];
+
+ System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
+ System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
+ data = newBytes;
+ }
+ return data;
+ }
+
+ public int getKeyUsage() {
+ return keyUsage;
+ }
+
+ public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
+ // generate token header
+ createTokenHeader(prop.getPrivacy());
+
+ if (tokenType == TOKEN_MIC_V2
+ || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ checkSum = getCheckSum(data, offset, len);
+ }
+
+ if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) (checkSum.length >>> 8);
+ header[5] = (byte) (checkSum.length & 0xFF);
+ }
+ }
+
+ public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
+ int confidentialFlag = header[2] & 2;
+ if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
+ header[4] = 0;
+ header[5] = 0;
+ header[6] = 0;
+ header[7] = 0;
+ }
+ return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
+ }
+
+ public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
+ byte[] dataCheckSum = getCheckSum(data, offset, len);
+ return MessageDigest.isEqual(checkSum, dataCheckSum);
+ }
+
+ // Create a new header
+ private void createTokenHeader(boolean privacy) {
+ header[0] = (byte) (tokenType >>> 8);
+ header[1] = (byte) tokenType;
+
+ int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
+ flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
+ flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
+
+ header[2] = (byte) (flags & 0xFF);
+ header[3] = (byte) 0xFF;
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) 0;
+ header[5] = (byte) 0;
+ header[6] = (byte) 0;
+ header[7] = (byte) 0;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ header[4] = (byte) 0xFF;
+ header[5] = (byte) 0xFF;
+ header[6] = (byte) 0xFF;
+ header[7] = (byte) 0xFF;
+ }
+ writeBigEndian(header, 12, sequenceNumber);
+ }
+
+ // Reconstruct a token header
+ private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
+ try {
+ if (is.read(header, 0, header.length) != header.length) {
+ throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
+ }
+ int tokenIDRecv = (((int) header[0]) << 8) + header[1];
+ if (tokenIDRecv != tokenType) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
+ int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
+ if (senderFlagRecv != senderFlag) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
+ }
+
+ int confFlagRecv = header[2] & FLAG_SEALED;
+ if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
+ prop.setPrivacy(true);
+ } else {
+ prop.setPrivacy(false);
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ if (header[3] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+
+ ec = readBigEndian(header, OFFSET_EC, 2);
+ rrc = readBigEndian(header, OFFSET_RRC, 2);
+ } else if (tokenType == TOKEN_MIC_V2) {
+ for (int i = 3; i < 8; i++) {
+ if ((header[i] & 0xFF) != 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+ }
+ }
+
+ prop.setQOP(0);
+ sequenceNumber = readBigEndian(header, 0, 8);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
+ }
+ }
+
+ public int encodeHeader(byte[] buf, int offset) {
+ System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
+ return TOKEN_HEADER_SIZE;
+ }
+
+ public void encodeHeader(OutputStream os) throws IOException {
+ os.write(header);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
index a5abb46..081788b 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
@@ -21,7 +21,6 @@ package org.apache.kerby.kerberos.kerb.gssapi.krb5;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
-import org.apache.kerby.kerberos.kerb.request.ApRequest;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
new file mode 100644
index 0000000..7ba27ab
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class MicTokenV2 extends KerbyGssTokenV2 {
+ private MessageProp prop;
+
+ // This is called to construct MicToken from user input
+ MicTokenV2(KerbyContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V2, context);
+
+ prop = messageProp;
+ if (prop == null) {
+ prop = new MessageProp(0, false);
+ }
+
+ generateCheckSum(prop, inMsg, msgOffset, msgLength);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV2(KerbyContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
+ this.prop = messageProp;
+ }
+
+ public int getMic(byte[] outToken, int offset) {
+ encodeHeader(outToken, offset);
+ System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
+ return TOKEN_HEADER_SIZE + checkSum.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() {
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
+ getMic(ret, 0);
+ return ret;
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(checkSum);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
+ * @param inMsg
+ * @param msgOffset
+ * @param msgLen
+ * @throws GSSException
+ */
+ public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
+ if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/33b0a728/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
new file mode 100644
index 0000000..6d78304
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
@@ -0,0 +1,154 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.apache.kerby.kerberos.kerb.Message;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+
+public class WrapTokenV2 extends KerbyGssTokenV2 {
+ private MessageProp prop;
+
+ // Generate a token from user input data
+ WrapTokenV2(KerbyContext context,
+ byte[] data,
+ int dataOffset,
+ int dataLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_WRAP_V2, context);
+
+ prop = messageProp;
+
+ if (prop.getQOP() != 0) {
+ prop.setQOP(0);
+ }
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+
+ generateCheckSum(prop, data, dataOffset, dataLength);
+
+ if (prop.getPrivacy()) {
+ byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
+ System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
+ encodeHeader(toProcess, dataLength);
+
+ tokenData = encryptor.encryptData(toProcess, getKeyUsage());
+ } else {
+ tokenData = data; // keep it for now
+ }
+ }
+
+ /**
+ * Get bytes of the token
+ * @return
+ */
+ public byte[] wrap() {
+ int dataSize = tokenData.length;
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
+ encodeHeader(ret, 0);
+ System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
+ if (ckSize > 0) {
+ System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
+ }
+ return ret;
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(tokenData);
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ if (ckSize > 0) {
+ os.write(checkSum);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV2(KerbyContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, token, offset, len);
+ this.prop = prop;
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV2(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, is);
+ this.prop = prop;
+ }
+
+ /**
+ * Get plain text data from token bytes
+ * @param outBuffer
+ * @param offset
+ * @return plain text contained in the wrap token
+ * @throws GSSException
+ */
+ public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
+ int lenToCopy;
+ if (prop.getPrivacy()) {
+ byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
+ lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
+ } else {
+ lenToCopy = tokenData.length - encryptor.getCheckSumSize();
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
+
+ if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
+ }
+ }
+ return outBuffer;
+ }
+
+ public byte[] unwrap() throws GSSException {
+ return unwrap(null, 0);
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ byte[] data = unwrap();
+ try {
+ os.write(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ static int getSizeLimit(int qop, boolean confReq, int maxTokSize) {
+ return maxTokSize; // TODO: to be implemented
+ }
+}
[07/18] directory-kerby git commit: DIRKRB-568 - Using RFC 4121
tokens in KerbyContext. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-568 - Using RFC 4121 tokens in KerbyContext. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/706b85e3
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/706b85e3
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/706b85e3
Branch: refs/heads/trunk
Commit: 706b85e3dd943b8832815828534210b2c4a70789
Parents: 8618cae
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:55:32 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:55:32 2017 +0100
----------------------------------------------------------------------
.../apache/kerby/kerberos/kerb/request/ApRequest.java | 11 +++++++----
.../kerby/kerberos/kerb/gssapi/KerbyMechFactory.java | 9 ++++-----
2 files changed, 11 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/706b85e3/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 096b0de..44f5b47 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -89,8 +89,11 @@ public class ApRequest {
authenticator.setAuthenticatorVno(5);
authenticator.setCname(clientPrincipal);
authenticator.setCrealm(sgtTicket.getRealm());
- authenticator.setCtime(KerberosTime.now());
- authenticator.setCusec(0);
+ long millis = System.currentTimeMillis();
+ int usec = (int) (millis % 1000) * 1000;
+ millis -= millis % 1000;
+ authenticator.setCtime(new KerberosTime(millis));
+ authenticator.setCusec(usec);
authenticator.setSubKey(sgtTicket.getSessionKey());
return authenticator;
@@ -138,13 +141,13 @@ public class ApRequest {
}
if (timeSkew != 0) {
- if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+ if (!authenticator.getCtime().isInClockSkew(timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
}
KerberosTime now = KerberosTime.now();
KerberosTime startTime = tktEncPart.getStartTime();
- if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+ if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/706b85e3/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
index a897c29..adacb27 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.gssapi;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
@@ -90,9 +91,7 @@ public class KerbyMechFactory implements MechanismFactory {
if (myInitiatorCred == null) {
myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
}
- return null;
- //For convenience of making patch, return null instead of introduce in KerbyContext
- //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred, lifetime);
+ return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
}
public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
@@ -101,13 +100,13 @@ public class KerbyMechFactory implements MechanismFactory {
myAcceptorCred = getCredentialElement(null, 0,
GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
}
- return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
+ return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
}
// Reconstruct from previously exported context
public GSSContextSpi getMechanismContext(byte[] exportedContext)
throws GSSException {
- return null; //return new KerbyContext(caller, exportedContext);
+ return new KerbyContext(caller, exportedContext);
}
public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
[02/18] directory-kerby git commit: DIRKRB-555 - Implement GSSNameSpi
interface. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-555 - Implement GSSNameSpi interface. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/b81a39bf
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/b81a39bf
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/b81a39bf
Branch: refs/heads/trunk
Commit: b81a39bfdaa7903eb5588ae395b3fe133ff04464
Parents: d58e342
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:45:27 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:45:51 2017 +0100
----------------------------------------------------------------------
build-tools/kerby-checkstyle.xml | 2 +-
.../kerberos/kerb/gssapi/KerbyMechFactory.java | 150 +++++++++++++++++++
.../kerby/kerberos/kerb/gssapi/Provider.java | 46 ++++++
.../kerberos/kerb/gssapi/krb5/CredUtils.java | 91 +++++++++++
.../kerb/gssapi/krb5/KerbyAcceptCred.java | 72 +++++++++
.../kerb/gssapi/krb5/KerbyCredElement.java | 80 ++++++++++
.../kerb/gssapi/krb5/KerbyInitCred.java | 53 +++++++
.../kerb/gssapi/krb5/KerbyNameElement.java | 134 +++++++++++++++++
8 files changed, 627 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/build-tools/kerby-checkstyle.xml
----------------------------------------------------------------------
diff --git a/build-tools/kerby-checkstyle.xml b/build-tools/kerby-checkstyle.xml
index ff9f5de..714a86f 100644
--- a/build-tools/kerby-checkstyle.xml
+++ b/build-tools/kerby-checkstyle.xml
@@ -67,7 +67,7 @@
<!-- Checks for imports -->
<!-- See http://checkstyle.sf.net/config_import.html -->
<!-- module name="AvoidStarImport"/ -->
- <module name="IllegalImport"/> <!-- defaults to sun.* packages -->
+ <!-- module name="IllegalImport"/ --> <!-- defaults to sun.* packages -->
<module name="RedundantImport"/>
<module name="UnusedImports"/>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
new file mode 100644
index 0000000..a897c29
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -0,0 +1,150 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi;
+
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+import sun.security.jgss.spi.MechanismFactory;
+
+import java.security.Provider;
+
+/**
+ * Kerby Kerberos V5 plugin for JGSS
+ */
+public class KerbyMechFactory implements MechanismFactory {
+ private static final Provider PROVIDER =
+ new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+
+ private static final String KRB5_OID_STRING = "1.2.840.113554.1.2.2";
+ private static final Oid KRB5_OID = createOid(KRB5_OID_STRING);
+
+ private static Oid[] nameTypes =
+ new Oid[] {
+ GSSName.NT_USER_NAME,
+ GSSName.NT_EXPORT_NAME,
+ GSSName.NT_HOSTBASED_SERVICE
+ };
+
+ private final GSSCaller caller;
+
+ public Oid getMechanismOid() {
+ return KRB5_OID;
+ }
+
+ public Provider getProvider() {
+ return PROVIDER;
+ }
+
+ public Oid[] getNameTypes() throws GSSException {
+ return nameTypes;
+ }
+
+ public KerbyMechFactory(GSSCaller caller) {
+ this.caller = caller;
+ }
+
+ public GSSNameSpi getNameElement(String nameStr, Oid nameType)
+ throws GSSException {
+ return KerbyNameElement.getInstance(nameStr, nameType);
+ }
+
+ public GSSNameSpi getNameElement(byte[] name, Oid nameType)
+ throws GSSException {
+ return KerbyNameElement.getInstance(name.toString(), nameType);
+ }
+
+ // Used by initiator
+ public GSSContextSpi getMechanismContext(GSSNameSpi peer,
+ GSSCredentialSpi myInitiatorCred,
+ int lifetime) throws GSSException {
+ if (peer != null && !(peer instanceof KerbyNameElement)) {
+ peer = KerbyNameElement.getInstance(peer.toString(), peer.getStringNameType());
+ }
+ if (myInitiatorCred == null) {
+ myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
+ }
+ return null;
+ //For convenience of making patch, return null instead of introduce in KerbyContext
+ //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred, lifetime);
+ }
+
+ public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
+ throws GSSException {
+ if (myAcceptorCred == null) {
+ myAcceptorCred = getCredentialElement(null, 0,
+ GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
+ }
+ return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
+ }
+
+ // Reconstruct from previously exported context
+ public GSSContextSpi getMechanismContext(byte[] exportedContext)
+ throws GSSException {
+ return null; //return new KerbyContext(caller, exportedContext);
+ }
+
+ public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
+ int initLifetime,
+ int acceptLifetime,
+ int usage)
+ throws GSSException {
+ if (name != null && !(name instanceof KerbyNameElement)) {
+ name = KerbyNameElement.getInstance(name.toString(), name.getStringNameType());
+ }
+
+ KerbyCredElement credElement;
+
+ if (usage == GSSCredential.INITIATE_ONLY) {
+ credElement = KerbyInitCred.getInstance(caller, (KerbyNameElement) name, initLifetime);
+ } else if (usage == GSSCredential.ACCEPT_ONLY) {
+ credElement = KerbyAcceptCred.getInstance(caller, (KerbyNameElement) name, acceptLifetime);
+ } else if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
+ throw new GSSException(GSSException.FAILURE, -1, "Unsupported usage mode: INITIATE_AND_ACCEPT");
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown usage mode: " + usage);
+ }
+
+ return credElement;
+ }
+
+ private static Oid createOid(String oidStr) {
+ Oid retVal;
+ try {
+ retVal = new Oid(oidStr);
+ } catch (GSSException e) {
+ retVal = null;
+ }
+ return retVal;
+ }
+
+ public static Oid getOid() {
+ return KRB5_OID;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
new file mode 100644
index 0000000..ad3a614
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Proivder is used to register the implementation of gssapi mechanism into the system
+ */
+public final class Provider extends java.security.Provider {
+ private static final long serialVersionUID = 3787378212107821987L;
+ private static final String INFO = "Kerby GssApi Provider";
+ private static final String MECHANISM_GSSAPI = "GssApiMechanism.1.2.840.113554.1.2.2";
+ private static final String MECHANISM_GSSAPI_CLASS = "org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory";
+
+ public Provider() {
+ super("KerbyGssApi", 0.01d, INFO);
+
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+
+ put(MECHANISM_GSSAPI, MECHANISM_GSSAPI_CLASS);
+
+ return null;
+ }
+ });
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
new file mode 100644
index 0000000..6d066db
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
@@ -0,0 +1,91 @@
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.kerberos.KeyTab;
+import javax.security.auth.kerberos.ServicePermission;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+/**
+ * Utility functions to deal with credentials in Context
+ */
+public class CredUtils {
+
+ public static <T> Set<T> getContextPrivateCredentials(Class<T> credentialType, AccessControlContext acc) {
+ Subject subject = Subject.getSubject(acc);
+ Set<T> creds = subject.getPrivateCredentials(credentialType);
+ return creds;
+ }
+
+ public static <T> Set<T> getContextCredentials(final Class<T> credentialType) throws GSSException {
+ final AccessControlContext acc = AccessController.getContext();
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Set<T>>() {
+ public Set<T> run() throws Exception {
+ return CredUtils.getContextPrivateCredentials(credentialType, acc);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ throw new GSSException(GSSException.NO_CRED, -1, "Get credential from context failed");
+ }
+ }
+
+ public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
+ final String clientName,
+ final String serverName) throws GSSException {
+ Set<KerberosTicket> tickets = getContextCredentials(KerberosTicket.class);
+ for (KerberosTicket ticket : tickets) {
+ if (ticket.isCurrent() && (serverName == null || ticket.getServer().getName().equals(serverName))
+ && (clientName == null || ticket.getClient().getName().equals(clientName))) {
+ return ticket;
+ }
+ }
+ return null;
+ }
+
+ public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
+ Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
+ for (KeyTab tab : tabs) {
+ if (tab.getPrincipal().equals(principal)) {
+ return tab;
+ }
+ }
+ return null;
+ }
+
+ public static void addCredentialToSubject(final KerberosTicket ticket) throws GSSException {
+ final AccessControlContext acc = AccessController.getContext();
+
+ final Subject subject = AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Subject>() {
+ public Subject run() {
+ return Subject.getSubject(acc);
+ }
+ });
+
+ AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Void>() {
+ public Void run() {
+ subject.getPrivateCredentials().add(ticket);
+ return null;
+ }
+ });
+ }
+
+ public static void checkPrincipalPermission(String principalName, String action) {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null) {
+ ServicePermission sp = new ServicePermission(principalName, action);
+ sm.checkPermission(sp);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
new file mode 100644
index 0000000..a7331fa
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KeyTab;
+
+public final class KerbyAcceptCred extends KerbyCredElement {
+
+ private final KeyTab keyTab;
+
+ public static KerbyAcceptCred getInstance(final GSSCaller caller,
+ KerbyNameElement name, int lifeTime) throws GSSException {
+
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ KeyTab keyTab = CredUtils.getKeyTabFromContext(princ);
+
+ if (keyTab == null) {
+ throw new GSSException(GSSException.NO_CRED, -1,
+ "Failed to find any Kerberos credential for " + name.getPrincipalName().getName());
+ }
+
+ return new KerbyAcceptCred(caller, name, keyTab, lifeTime);
+ }
+
+ private KerbyAcceptCred(GSSCaller caller, KerbyNameElement name, KeyTab keyTab, int lifeTime) {
+ super(caller, name);
+ this.keyTab = keyTab;
+ this.accLifeTime = lifeTime;
+ }
+
+ public boolean isInitiatorCredential() throws GSSException {
+ return false;
+ }
+
+ public boolean isAcceptorCredential() throws GSSException {
+ return true;
+ }
+
+ public KeyTab getKeyTab() {
+ return this.keyTab;
+ }
+
+ public KerberosKey[] getKeys() {
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ return keyTab.getKeys(princ);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
new file mode 100644
index 0000000..c52b3ea
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import java.security.Provider;
+
+public abstract class KerbyCredElement implements GSSCredentialSpi {
+
+ static final Oid KRB5_OID = createOid("1.2.840.113554.1.2.2");
+
+ protected GSSCaller caller;
+ protected KerbyNameElement name;
+ protected int initLifeTime;
+ protected int accLifeTime;
+
+ KerbyCredElement(GSSCaller caller, KerbyNameElement name) {
+ this.caller = caller;
+ this.name = name;
+ }
+
+ public Provider getProvider() {
+ return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ }
+
+ public void dispose() throws GSSException {
+ }
+
+ public GSSNameSpi getName() throws GSSException {
+ return name;
+ }
+
+ public int getInitLifetime() throws GSSException {
+ return initLifeTime;
+ }
+
+ public int getAcceptLifetime() throws GSSException {
+ return accLifeTime;
+ }
+
+ public Oid getMechanism() {
+ return KRB5_OID;
+ }
+
+ public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "Unsupported feature"); // TODO:
+ }
+
+ private static Oid createOid(String oidStr) {
+ Oid retVal;
+ try {
+ retVal = new Oid(oidStr);
+ } catch (GSSException e) {
+ retVal = null; // get rid of blank catch block warning
+ }
+ return retVal;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
new file mode 100644
index 0000000..d04f915
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public final class KerbyInitCred extends KerbyCredElement {
+
+ public KerberosTicket ticket;
+
+ private KerbyInitCred(GSSCaller caller, KerbyNameElement name, KerberosTicket ticket, int lifeTime) {
+ super(caller, name);
+ this.ticket = ticket;
+ this.initLifeTime = lifeTime;
+ }
+
+ public static KerbyInitCred getInstance(GSSCaller caller, KerbyNameElement name, int lifeTime) throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
+ return new KerbyInitCred(caller, name, ticket, lifeTime);
+ }
+
+ public boolean isInitiatorCredential() throws GSSException {
+ return true;
+ }
+
+ public boolean isAcceptorCredential() throws GSSException {
+ return false;
+ }
+
+ public KerberosTicket getKerberosTicket() {
+ return ticket;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b81a39bf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
new file mode 100644
index 0000000..9c93143
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
+import org.apache.kerby.kerberos.kerb.type.base.NameType;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.spi.GSSNameSpi;
+import java.io.UnsupportedEncodingException;
+import java.security.Provider;
+
+public class KerbyNameElement implements GSSNameSpi {
+
+ private PrincipalName principalName;
+ private Oid nameType = null;
+
+ KerbyNameElement(PrincipalName principalName,
+ Oid nameType) {
+ this.principalName = principalName;
+ this.nameType = nameType;
+ }
+
+ public PrincipalName toKerbyPrincipalName(sun.security.krb5.PrincipalName name) {
+ return new PrincipalName(name.getNameString(), toKerbyNameType(name.getNameType()));
+ }
+
+ private NameType toKerbyNameType(int intNameType) {
+ return NameType.fromValue(intNameType);
+ }
+
+ public static NameType toKerbyNameType(Oid nameType) throws GSSException {
+ NameType kerbyNameType;
+
+ if (nameType == null) {
+ throw new GSSException(GSSException.BAD_NAMETYPE);
+ }
+
+ if (nameType.equals(GSSName.NT_EXPORT_NAME) || nameType.equals(GSSName.NT_USER_NAME)) {
+ kerbyNameType = NameType.NT_PRINCIPAL;
+ } else if (nameType.equals(GSSName.NT_HOSTBASED_SERVICE)) {
+ kerbyNameType = NameType.NT_SRV_HST;
+ } else {
+ throw new GSSException(GSSException.BAD_NAMETYPE, 0, "Unsupported Oid name type");
+ }
+ return kerbyNameType;
+ }
+
+ public static KerbyNameElement getInstance(String name, Oid oidNameType)
+ throws GSSException {
+ PrincipalName principalName = new PrincipalName(name, toKerbyNameType(oidNameType));
+ return new KerbyNameElement(principalName, oidNameType);
+ }
+
+ public Provider getProvider() {
+ return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ }
+
+ public boolean equals(GSSNameSpi name) throws GSSException {
+ if (name == null || name.isAnonymousName() || isAnonymousName()) {
+ return false;
+ }
+ return this.toString().equals(name.toString()) && this.getStringNameType().equals(name.getStringNameType());
+ }
+
+ public final PrincipalName getPrincipalName() {
+ return principalName;
+ }
+
+ public boolean equals(Object another) {
+ if (another == null) {
+ return false;
+ }
+
+ try {
+ if (another instanceof GSSNameSpi) {
+ return equals((GSSNameSpi) another);
+ }
+ } catch (GSSException e) {
+ return false;
+ }
+
+ return false;
+ }
+
+ public int hashCode() {
+ return principalName.hashCode();
+ }
+
+ public byte[] export() throws GSSException {
+ byte[] retVal;
+ try {
+ retVal = principalName.getName().getBytes("UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
+ }
+ return retVal;
+ }
+
+ public Oid getMechanism() {
+ return KerbyMechFactory.getOid();
+ }
+
+ public String toString() {
+ return principalName.toString();
+ }
+
+ public Oid getStringNameType() {
+ return nameType;
+ }
+
+ public boolean isAnonymousName() {
+ return nameType.equals(GSSName.NT_ANONYMOUS);
+ }
+}
[12/18] directory-kerby git commit: Refactoring the package and
structure
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
deleted file mode 100644
index c52b3ea..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-
-import java.security.Provider;
-
-public abstract class KerbyCredElement implements GSSCredentialSpi {
-
- static final Oid KRB5_OID = createOid("1.2.840.113554.1.2.2");
-
- protected GSSCaller caller;
- protected KerbyNameElement name;
- protected int initLifeTime;
- protected int accLifeTime;
-
- KerbyCredElement(GSSCaller caller, KerbyNameElement name) {
- this.caller = caller;
- this.name = name;
- }
-
- public Provider getProvider() {
- return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
- }
-
- public void dispose() throws GSSException {
- }
-
- public GSSNameSpi getName() throws GSSException {
- return name;
- }
-
- public int getInitLifetime() throws GSSException {
- return initLifeTime;
- }
-
- public int getAcceptLifetime() throws GSSException {
- return accLifeTime;
- }
-
- public Oid getMechanism() {
- return KRB5_OID;
- }
-
- public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
- throw new GSSException(GSSException.FAILURE, -1, "Unsupported feature"); // TODO:
- }
-
- private static Oid createOid(String oidStr) {
- Oid retVal;
- try {
- retVal = new Oid(oidStr);
- } catch (GSSException e) {
- retVal = null; // get rid of blank catch block warning
- }
- return retVal;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
deleted file mode 100644
index 9aff63e..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
+++ /dev/null
@@ -1,388 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
-import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
-import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
-import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
-import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
-import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
-import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
-import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
-import org.ietf.jgss.GSSException;
-
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-/**
- * This class implements encryption related function used in GSS tokens
- */
-public class KerbyGssEncryptor {
-
- private final EncryptionKey encKey;
- private final EncryptionType encKeyType; // The following two variables used for convenience
- private final byte[] encKeyBytes;
-
- private CheckSumType checkSumTypeDef;
- private int checkSumSize;
-
- private boolean isV2 = false;
- private int sgnAlg = 0xFFFF;
- private int sealAlg = 0xFFFF;
- private boolean isArcFourHmac = false;
-
- private static final byte[] IV_ZEROR_8B = new byte[8];
-
- public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
- encKey = key;
- encKeyBytes = encKey.getKeyData();
- encKeyType = key.getKeyType();
-
- if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
- checkSumSize = 12;
- checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
- isV2 = true;
- } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
- checkSumSize = 12;
- checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
- isV2 = true;
- } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_DES;
- checkSumSize = 8;
- } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_DES3_KD;
- checkSumSize = 20;
- } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_RC4_HMAC;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_RC4_HMAC;
- checkSumSize = 16;
- isArcFourHmac = true;
- } else {
- throw new GSSException(GSSException.FAILURE, -1,
- "Invalid encryption type: " + encKeyType.getDisplayName());
- }
- }
-
- /**
- * Return true if it is encryption type defined in RFC 4121
- * @return
- */
- public boolean isV2() {
- return isV2;
- }
-
- public int getSgnAlg() {
- return sgnAlg;
- }
-
- public int getSealAlg() {
- return sealAlg;
- }
-
- public boolean isArcFourHmac() {
- return isArcFourHmac;
- }
-
- public byte[] encryptData(byte[] tokenHeader, byte[] data,
- int offset, int len, int keyUsage) throws GSSException {
- byte[] ret;
- byte[] toProcess = new byte[tokenHeader.length + len];
- System.arraycopy(data, offset, toProcess, 0, len);
- System.arraycopy(tokenHeader, 0, toProcess, len, tokenHeader.length);
-
- ret = encryptData(toProcess, keyUsage);
- return ret;
- }
-
- public byte[] encryptData(byte[] toProcess, int keyUsage) throws GSSException {
- byte[] ret;
- try {
- EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
- ret = encHandler.encrypt(toProcess, encKey.getKeyData(), keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- return ret;
- }
-
- public byte[] decryptData(byte[] dataEncrypted, int keyUsage) throws GSSException {
- byte[] ret;
- try {
- EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
- ret = encHandler.decrypt(dataEncrypted, encKey.getKeyData(), keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- return ret;
- }
-
- public byte[] calculateCheckSum(byte[] header, byte[] data, int offset, int len, int keyUsage)
- throws GSSException {
- int totalLen = len + (header == null ? 0 : header.length);
- byte[] buffer = new byte[totalLen];
- System.arraycopy(data, offset, buffer, 0, len);
- if (header != null) {
- System.arraycopy(header, 0, buffer, len, header.length);
- }
-
- try {
- return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
- .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation:" + e.getMessage());
- }
- }
-
- /**
- * Get the size of the corresponding checksum algorithm
- * @return
- * @throws GSSException
- */
- public int getCheckSumSize() throws GSSException {
- return checkSumSize;
- }
-
-
- private void addPadding(int paddingLen, byte[] outBuf, int offset) {
- for (int i = 0; i < paddingLen; i++) {
- outBuf[offset + i] = (byte) paddingLen;
- }
- }
-
- private byte[] getFirstBytes(byte[] src, int len) {
- if (len < src.length) {
- byte[] ret = new byte[len];
- System.arraycopy(src, 0, ret, 0, len);
- return ret;
- }
- return src;
- }
-
- private byte[] getKeyBytesWithLength(int len) {
- return getFirstBytes(encKeyBytes, len);
- }
-
- public byte[] calculateCheckSum(byte[] confounder, byte[] header,
- byte[] data, int offset, int len, int paddingLen, boolean isMic)
- throws GSSException {
- byte[] ret;
- int keyUsage = KerbyGssTokenV1.KG_USAGE_SIGN;
- CheckSumTypeHandler handler;
-
- int keySize;
- byte[] key;
- byte[] toProc;
- int toOffset;
- int toLen = (confounder == null ? 0 : confounder.length)
- + (header == null ? 0 : header.length) + len + paddingLen;
- if (toLen == len) {
- toProc = data;
- toOffset = offset;
- } else {
- toOffset = 0;
- int idx = 0;
- toProc = new byte[toLen];
-
- if (header != null) {
- System.arraycopy(header, 0, toProc, idx, header.length);
- idx += header.length;
- }
-
- if (confounder != null) {
- System.arraycopy(confounder, 0, toProc, idx, confounder.length);
- idx += confounder.length;
- }
-
- System.arraycopy(data, offset, toProc, idx, len);
- addPadding(paddingLen, toProc, len + idx);
- }
-
- CheckSumType chksumType;
- try {
- switch (sgnAlg) {
- case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
- Md5Provider md5Provider = new Md5Provider();
- md5Provider.hash(toProc);
- toProc = md5Provider.output();
-
- case KerbyGssTokenV1.SGN_ALG_DES_MAC:
- DesProvider desProvider = new DesProvider();
- return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
-
- case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
- chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
- break;
- case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
- chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
- if (isMic) {
- keyUsage = KerbyGssTokenV1.KG_USAGE_MS_SIGN;
- }
- break;
- case KerbyGssTokenV1.SGN_ALG_MD25:
- throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
- default:
- throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
- }
- handler = CheckSumHandler.getCheckSumHandler(chksumType);
- keySize = handler.keySize();
- key = getKeyBytesWithLength(keySize);
- ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
- }
- return ret;
- }
-
- public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
- throws GSSException {
- EncTypeHandler handler;
- try {
- switch (sgnAlg) {
- case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
- case KerbyGssTokenV1.SGN_ALG_DES_MAC:
- DesProvider desProvider = new DesProvider();
- byte[] data = seqBytes.clone();
- if (encrypt) {
- desProvider.encrypt(encKeyBytes, ivSrc, data);
- } else {
- desProvider.decrypt(encKeyBytes, ivSrc, data);
- }
- return data;
- case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
- break;
- case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
- return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
- case KerbyGssTokenV1.SGN_ALG_MD25:
- throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
- default:
- throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
- }
- int keySize = handler.keySize();
- byte[] key = getKeyBytesWithLength(keySize);
- int ivLen = handler.encProvider().blockSize();
- byte[] iv = getFirstBytes(ivSrc, ivLen);
- if (encrypt) {
- return handler.encryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
- } else {
- return handler.decryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
- }
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
- }
- }
-
- private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
- try {
- SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
- Mac mac = Mac.getInstance("HmacMD5");
- mac.init(secretKey);
- return mac.doFinal(salt);
- } catch (Exception e) {
- throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
- }
- }
-
- private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
- throws GSSException {
- byte[] sk1 = getHmacMd5(key, new byte[4]);
- byte[] sk2 = getHmacMd5(sk1, iv);
- Rc4Provider provider = new Rc4Provider();
- try {
- byte[] ret = data.clone();
- if (encrypt) {
- provider.encrypt(sk2, ret);
- } else {
- provider.decrypt(sk2, ret);
- }
- return ret;
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
- }
- }
-
- private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
- byte[] dataKey = new byte[key.length];
- for (int i = 0; i <= 15; i++) {
- dataKey[i] = (byte) (key[i] ^ 0xF0);
- }
- return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
- }
-
- public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
- int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
- byte[] toProc;
- if (encrypt) {
- int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
- int index = 0;
- toProc = new byte[toLen];
- if (confounder != null) {
- System.arraycopy(confounder, 0, toProc, 0, confounder.length);
- index += confounder.length;
- }
- System.arraycopy(data, offset, toProc, index, len);
- addPadding(paddingLen, toProc, index + len);
- } else {
- toProc = data;
- if (data.length != len) {
- toProc = new byte[len];
- System.arraycopy(data, offset, toProc, 0, len);
- }
- }
- EncTypeHandler handler;
- try {
- switch (sealAlg) {
- case KerbyGssTokenV1.SEAL_ALG_DES:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
- break;
- case KerbyGssTokenV1.SEAL_ALG_DES3_KD:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
- break;
- case KerbyGssTokenV1.SEAL_ALG_RC4_HMAC:
- return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
- default:
- throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
- }
-
- int keySize = handler.keySize();
- byte[] key = getKeyBytesWithLength(keySize);
- if (encrypt) {
- return handler.encryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
- } else {
- return handler.decryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
- }
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
- }
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
deleted file mode 100644
index ae5122f..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-public abstract class KerbyGssTokenBase {
- public static final int TOKEN_WRAP_V1 = 0x201;
- public static final int TOKEN_MIC_V1 = 0x101;
- public static final int TOKEN_WRAP_V2 = 0x504;
- public static final int TOKEN_MIC_V2 = 0x404;
-
- public void writeBigEndian(byte[] buf, int offset, int value) {
- buf[offset] = (byte) (value >>> 24);
- buf[offset + 1] = (byte) (value >>> 16);
- buf[offset + 2] = (byte) (value >>> 8);
- buf[offset + 3] = (byte) (value);
- }
-
- public int readBigEndian(byte[] buf, int offset) {
- int value = 0;
- value += (buf[offset] & 0xFF) << 24;
- value += (buf[offset + 1] & 0xFF) << 16;
- value += (buf[offset + 2] & 0xFF) << 8;
- value += buf[offset + 3] & 0xFF;
- return value;
- }
-
- /**
- *
- * @param buf
- * @param offset
- * @param len should not be larger than sizeof(int)
- * @return
- */
- public int readBigEndian(byte[] buf, int offset, int len) {
- int value = 0;
- for (int i = 0; i < len; i++) {
- value += (buf[offset + i] & 0xFF) << 8;
- }
- return value;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
deleted file mode 100644
index 6b1a2c7..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
+++ /dev/null
@@ -1,319 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import sun.security.jgss.GSSHeader;
-import sun.security.util.ObjectIdentifier;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.MessageDigest;
-
-/**
- * This class implements the token formats defined in RFC 1964 and its updates
- *
- * The GSS Wrap token has the following format:
- *
- * Byte no Name Description
- * 0..1 TOK_ID 0201
- *
- * 2..3 SGN_ALG Checksum algorithm indicator.
- * 00 00 DES MAC MD5
- * 01 00 MD2.5
- * 02 00 DES MAC
- * 04 00 HMAC SHA1 DES3-KD
- * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
- * 4..5 SEAL_ALG ff ff none
- * 00 00 DES
- * 02 00 DES3-KD
- * 10 00 RC4-HMAC
- * 6..7 Filler FF FF
- * 8..15 SND_SEQ Encrypted sequence number field.
- * 16..23 SNG_CKSUM Checksum of plaintext padded data,
- * calculated according to algorithm
- * specified in SGN_ALG field.
- * 24.. Data Encrypted or plaintext padded data
- *
- *
- *
- * Use of the GSS MIC token has the following format:
-
- * Byte no Name Description
- * 0..1 TOK_ID 0101
- * 2..3 SGN_ALG Integrity algorithm indicator.
- * 4..7 Filler Contains ff ff ff ff
- * 8..15 SND_SEQ Sequence number field.
- * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
- * calculated according to algorithm
- * specified in SGN_ALG field.
- *
- */
-abstract class KerbyGssTokenV1 extends KerbyGssTokenBase {
- // SGN ALG
- public static final int SGN_ALG_DES_MAC_MD5 = 0;
- public static final int SGN_ALG_MD25 = 0x0100;
- public static final int SGN_ALG_DES_MAC = 0x0200;
- public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
- public static final int SGN_ALG_RC4_HMAC = 0x1100;
-
- // SEAL ALG
- public static final int SEAL_ALG_NONE = 0xFFFF;
- public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
- public static final int SEAL_ALG_DES3_KD = 0x0200;
- public static final int SEAL_ALG_RC4_HMAC = 0x1000;
-
- public static final int KG_USAGE_SEAL = 22;
- public static final int KG_USAGE_SIGN = 23;
- public static final int KG_USAGE_SEQ = 24;
- public static final int KG_USAGE_MS_SIGN = 15;
-
- private boolean isInitiator;
- private boolean confState;
- private int sequenceNumber;
-
- protected KerbyGssEncryptor encryptor;
-
- private GSSHeader gssHeader;
-
- public static final int TOKEN_HEADER_COMM_SIZE = 8;
- public static final int TOKEN_HEADER_SEQ_SIZE = 8;
-
- // Token commHeader data
- private int tokenType;
- private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
- private int sgnAlg;
- private int sealAlg;
-
- private byte[] plainSequenceBytes;
- private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
- private byte[] checkSum;
- private int checkSumSize;
-
- protected int reconHeaderLen; // only used for certain reason
-
- public static ObjectIdentifier objId;
-
- static {
- try {
- objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
- } catch (IOException ioe) { // NOPMD
- }
- }
-
- protected int getTokenHeaderSize() {
- return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
- }
-
- protected byte[] getPlainSequenceBytes() {
- byte[] ret = new byte[4];
- ret[0] = plainSequenceBytes[0];
- ret[1] = plainSequenceBytes[1];
- ret[2] = plainSequenceBytes[2];
- ret[3] = plainSequenceBytes[3];
- return ret;
- }
-
- // Generate a new token
- KerbyGssTokenV1(int tokenType, KerbyContext context) throws GSSException {
- initialize(tokenType, context, false);
- createTokenHeader();
- }
-
- // Reconstruct a token
- KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop,
- byte[] token, int offset, int size) throws GSSException {
- int proxLen = size > 64 ? 64 : size;
- InputStream is = new ByteArrayInputStream(token, offset, proxLen);
- reconstructInitializaion(tokenType, context, prop, is);
- reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
- }
-
- // Reconstruct a token
- KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- reconstructInitializaion(tokenType, context, prop, is);
- }
-
- private void reconstructInitializaion(int tokenType, KerbyContext context, MessageProp prop, InputStream is)
- throws GSSException {
- initialize(tokenType, context, true);
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- try {
- gssHeader = new GSSHeader(is);
- } catch (IOException e) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
- }
-
- if (!gssHeader.getOid().equals((Object) objId)) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
- }
-
- reconstructTokenHeader(is, prop);
- }
-
- private void initialize(int tokenType,
- KerbyContext context,
- boolean reconstruct) throws GSSException {
- this.tokenType = tokenType;
- this.isInitiator = context.isInitiator();
- this.confState = context.getConfState();
- this.encryptor = context.getGssEncryptor();
- this.checkSumSize = encryptor.getCheckSumSize();
- if (!reconstruct) {
- this.sequenceNumber = context.incMySequenceNumber();
- } else {
- checkSum = new byte[checkSumSize];
- }
- }
-
- protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
- int dataOffset, int dataLength, int paddingLen) throws GSSException {
- prop.setQOP(0);
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
- encryptSequenceNumber();
- }
-
- protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
- throws GSSException {
- byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
- if (!MessageDigest.isEqual(checkSum, sum)) {
- throw new GSSException(GSSException.BAD_MIC, -1,
- "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
- }
- }
-
- private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
- int dataOffset, int dataLength, int paddingLen) throws GSSException {
- return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
- tokenType == TOKEN_MIC_V1);
- }
-
- private void encryptSequenceNumber() throws GSSException {
- plainSequenceBytes = new byte[8];
- if (encryptor.isArcFourHmac()) {
- writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
- } else {
- plainSequenceBytes[0] = (byte) sequenceNumber;
- plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
- plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
- plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
- }
-
- // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
- if (!isInitiator) {
- plainSequenceBytes[4] = (byte) 0xFF;
- plainSequenceBytes[5] = (byte) 0xFF;
- plainSequenceBytes[6] = (byte) 0xFF;
- plainSequenceBytes[7] = (byte) 0xFF;
- }
-
- encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
- }
-
- public void encodeHeader(OutputStream os) throws GSSException, IOException {
- // | GSSHeader | TokenHeader |
- GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
- gssHeader.encode(os);
- os.write(commHeader);
- os.write(encryptedSequenceNumber);
- os.write(checkSum);
- }
-
- private void createTokenHeader() {
- commHeader[0] = (byte) (tokenType >>> 8);
- commHeader[1] = (byte) tokenType;
-
- sgnAlg = encryptor.getSgnAlg();
- commHeader[2] = (byte) (sgnAlg >>> 8);
- commHeader[3] = (byte) sgnAlg;
-
- if (tokenType == TOKEN_WRAP_V1) {
- sealAlg = encryptor.getSealAlg();
- commHeader[4] = (byte) (sealAlg >>> 8);
- commHeader[5] = (byte) sealAlg;
- } else {
- commHeader[4] = (byte) 0xFF;
- commHeader[5] = (byte) 0xFF;
- }
-
- commHeader[6] = (byte) 0xFF;
- commHeader[7] = (byte) 0xFF;
- }
-
- // Re-construct token commHeader
- private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
- try {
- if (is.read(commHeader) != commHeader.length
- || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
- || is.read(checkSum) != checkSum.length) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Insufficient in reconstruct token header");
- }
- initTokenHeader(commHeader, prop);
-
- plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
- byte dirc = isInitiator ? (byte) 0xFF : 0;
- // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
- if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
- && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
- throw new GSSException(GSSException.BAD_MIC, -1,
- "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error in reconstruct token header:" + e.getMessage());
- }
- }
-
- private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
- int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
- if (tokenType != tokenIDRecv) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
- "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
- }
-
- sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
- sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
-
- if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
- }
-
- prop.setQOP(0);
- prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
- }
-
- protected GSSHeader getGssHeader() {
- return gssHeader;
- }
-
- abstract int getTokenSizeWithoutGssHeader();
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
deleted file mode 100644
index f2d220a..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
+++ /dev/null
@@ -1,282 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.MessageDigest;
-
-/**
- * This class implements the token formats defined in RFC 4121.
- */
-abstract class KerbyGssTokenV2 extends KerbyGssTokenBase {
- public static final int CONFOUNDER_SIZE = 16;
- public static final int TOKEN_HEADER_SIZE = 16;
- private static final int OFFSET_EC = 4;
- private static final int OFFSET_RRC = 6;
-
- // context states
- private boolean isInitiator = true;
- private boolean acceptorSubKey = false;
- private boolean confState = true;
- private int sequenceNumber;
-
- // token data
- protected int tokenType;
- private byte[] header = new byte[TOKEN_HEADER_SIZE];
- protected byte[] tokenData;
-
- protected byte[] checkSum;
- private int ec;
- private int rrc;
-
- static final int KG_USAGE_ACCEPTOR_SEAL = 22;
- static final int KG_USAGE_ACCEPTOR_SIGN = 23;
- static final int KG_USAGE_INITIATOR_SEAL = 24;
- static final int KG_USAGE_INITIATOR_SIGN = 25;
- private int keyUsage;
-
- private static final int FLAG_SENT_BY_ACCEPTOR = 1;
- private static final int FLAG_SEALED = 2;
- private static final int FLAG_ACCEPTOR_SUBKEY = 4;
-
- protected KerbyGssEncryptor encryptor;
-
-
- // Create a new token
- KerbyGssTokenV2(int tokenType, KerbyContext context) throws GSSException {
- initialize(tokenType, context, false);
- }
-
- private void initialize(int tokenType, KerbyContext context, boolean reconstruct) throws GSSException {
- this.tokenType = tokenType;
- this.isInitiator = context.isInitiator();
- this.acceptorSubKey = context.getKeyComesFrom() == KerbyContext.ACCEPTOR_SUBKEY;
- this.confState = context.getConfState();
-
- boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
- if (tokenType == TOKEN_WRAP_V2) {
- keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
- } else if (tokenType == TOKEN_MIC_V2) {
- keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
- }
-
- encryptor = context.getGssEncryptor();
-
- if (!reconstruct) {
- this.sequenceNumber = context.incMySequenceNumber();
- }
- }
-
- // Reconstruct token from bytes received
- KerbyGssTokenV2(int tokenType, KerbyContext context,
- MessageProp prop, byte[] token, int offset, int len) throws GSSException {
- this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
- }
-
- // Reconstruct token from input stream
- KerbyGssTokenV2(int tokenType, KerbyContext context,
- MessageProp prop, InputStream is) throws GSSException {
- initialize(tokenType, context, true);
-
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- reconstructTokenHeader(prop, is);
-
- int minSize;
- if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
- minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
- } else {
- minSize = encryptor.getCheckSumSize();
- }
-
- try {
- int tokenLen = is.available();
-
- if (tokenType == TOKEN_MIC_V2) {
- tokenLen = minSize;
- tokenData = new byte[tokenLen];
- is.read(tokenData);
- } else {
- if (tokenLen >= minSize) {
- tokenData = new byte[tokenLen];
- is.read(tokenData);
- } else {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
- }
- }
-
- if (tokenType == TOKEN_WRAP_V2) {
- tokenData = rotate(tokenData);
- }
-
- if (tokenType == TOKEN_MIC_V2
- || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
- int checksumLen = encryptor.getCheckSumSize();
-
- if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
- }
-
- checkSum = new byte[checksumLen];
- System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
- }
- }
-
- private byte[] rotate(byte[] data) {
- int dataLen = data.length;
- if (rrc % dataLen != 0) {
- rrc = rrc % dataLen;
- byte[] newBytes = new byte[dataLen];
-
- System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
- System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
- data = newBytes;
- }
- return data;
- }
-
- public int getKeyUsage() {
- return keyUsage;
- }
-
- public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
- // generate token header
- createTokenHeader(prop.getPrivacy());
-
- if (tokenType == TOKEN_MIC_V2
- || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
- checkSum = getCheckSum(data, offset, len);
- }
-
- if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
- header[4] = (byte) (checkSum.length >>> 8);
- header[5] = (byte) (checkSum.length & 0xFF);
- }
- }
-
- public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
- int confidentialFlag = header[2] & 2;
- if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
- header[4] = 0;
- header[5] = 0;
- header[6] = 0;
- header[7] = 0;
- }
- return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
- }
-
- public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
- byte[] dataCheckSum = getCheckSum(data, offset, len);
- return MessageDigest.isEqual(checkSum, dataCheckSum);
- }
-
- // Create a new header
- private void createTokenHeader(boolean privacy) {
- header[0] = (byte) (tokenType >>> 8);
- header[1] = (byte) tokenType;
-
- int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
- flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
- flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
-
- header[2] = (byte) (flags & 0xFF);
- header[3] = (byte) 0xFF;
-
- if (tokenType == TOKEN_WRAP_V2) {
- header[4] = (byte) 0;
- header[5] = (byte) 0;
- header[6] = (byte) 0;
- header[7] = (byte) 0;
- } else if (tokenType == TOKEN_MIC_V2) {
- header[4] = (byte) 0xFF;
- header[5] = (byte) 0xFF;
- header[6] = (byte) 0xFF;
- header[7] = (byte) 0xFF;
- }
- writeBigEndian(header, 12, sequenceNumber);
- }
-
- // Reconstruct a token header
- private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
- try {
- if (is.read(header, 0, header.length) != header.length) {
- throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
- }
- int tokenIDRecv = (((int) header[0]) << 8) + header[1];
- if (tokenIDRecv != tokenType) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
- "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
- }
-
- int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
- int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
- if (senderFlagRecv != senderFlag) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
- }
-
- int confFlagRecv = header[2] & FLAG_SEALED;
- if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
- prop.setPrivacy(true);
- } else {
- prop.setPrivacy(false);
- }
-
- if (tokenType == TOKEN_WRAP_V2) {
- if (header[3] != (byte) 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
- }
-
- ec = readBigEndian(header, OFFSET_EC, 2);
- rrc = readBigEndian(header, OFFSET_RRC, 2);
- } else if (tokenType == TOKEN_MIC_V2) {
- for (int i = 3; i < 8; i++) {
- if ((header[i] & 0xFF) != 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
- }
- }
- }
-
- prop.setQOP(0);
- sequenceNumber = readBigEndian(header, 0, 8);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
- }
- }
-
- public int encodeHeader(byte[] buf, int offset) {
- System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
- return TOKEN_HEADER_SIZE;
- }
-
- public void encodeHeader(OutputStream os) throws IOException {
- os.write(header);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
deleted file mode 100644
index d04f915..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.kerberos.KerberosTicket;
-
-public final class KerbyInitCred extends KerbyCredElement {
-
- public KerberosTicket ticket;
-
- private KerbyInitCred(GSSCaller caller, KerbyNameElement name, KerberosTicket ticket, int lifeTime) {
- super(caller, name);
- this.ticket = ticket;
- this.initLifeTime = lifeTime;
- }
-
- public static KerbyInitCred getInstance(GSSCaller caller, KerbyNameElement name, int lifeTime) throws GSSException {
- KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
- return new KerbyInitCred(caller, name, ticket, lifeTime);
- }
-
- public boolean isInitiatorCredential() throws GSSException {
- return true;
- }
-
- public boolean isAcceptorCredential() throws GSSException {
- return false;
- }
-
- public KerberosTicket getKerberosTicket() {
- return ticket;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
deleted file mode 100644
index 9c93143..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
+++ /dev/null
@@ -1,134 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
-import org.apache.kerby.kerberos.kerb.type.base.NameType;
-import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.spi.GSSNameSpi;
-import java.io.UnsupportedEncodingException;
-import java.security.Provider;
-
-public class KerbyNameElement implements GSSNameSpi {
-
- private PrincipalName principalName;
- private Oid nameType = null;
-
- KerbyNameElement(PrincipalName principalName,
- Oid nameType) {
- this.principalName = principalName;
- this.nameType = nameType;
- }
-
- public PrincipalName toKerbyPrincipalName(sun.security.krb5.PrincipalName name) {
- return new PrincipalName(name.getNameString(), toKerbyNameType(name.getNameType()));
- }
-
- private NameType toKerbyNameType(int intNameType) {
- return NameType.fromValue(intNameType);
- }
-
- public static NameType toKerbyNameType(Oid nameType) throws GSSException {
- NameType kerbyNameType;
-
- if (nameType == null) {
- throw new GSSException(GSSException.BAD_NAMETYPE);
- }
-
- if (nameType.equals(GSSName.NT_EXPORT_NAME) || nameType.equals(GSSName.NT_USER_NAME)) {
- kerbyNameType = NameType.NT_PRINCIPAL;
- } else if (nameType.equals(GSSName.NT_HOSTBASED_SERVICE)) {
- kerbyNameType = NameType.NT_SRV_HST;
- } else {
- throw new GSSException(GSSException.BAD_NAMETYPE, 0, "Unsupported Oid name type");
- }
- return kerbyNameType;
- }
-
- public static KerbyNameElement getInstance(String name, Oid oidNameType)
- throws GSSException {
- PrincipalName principalName = new PrincipalName(name, toKerbyNameType(oidNameType));
- return new KerbyNameElement(principalName, oidNameType);
- }
-
- public Provider getProvider() {
- return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
- }
-
- public boolean equals(GSSNameSpi name) throws GSSException {
- if (name == null || name.isAnonymousName() || isAnonymousName()) {
- return false;
- }
- return this.toString().equals(name.toString()) && this.getStringNameType().equals(name.getStringNameType());
- }
-
- public final PrincipalName getPrincipalName() {
- return principalName;
- }
-
- public boolean equals(Object another) {
- if (another == null) {
- return false;
- }
-
- try {
- if (another instanceof GSSNameSpi) {
- return equals((GSSNameSpi) another);
- }
- } catch (GSSException e) {
- return false;
- }
-
- return false;
- }
-
- public int hashCode() {
- return principalName.hashCode();
- }
-
- public byte[] export() throws GSSException {
- byte[] retVal;
- try {
- retVal = principalName.getName().getBytes("UTF-8");
- } catch (UnsupportedEncodingException e) {
- throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
- }
- return retVal;
- }
-
- public Oid getMechanism() {
- return KerbyMechFactory.getOid();
- }
-
- public String toString() {
- return principalName.toString();
- }
-
- public Oid getStringNameType() {
- return nameType;
- }
-
- public boolean isAnonymousName() {
- return nameType.equals(GSSName.NT_ANONYMOUS);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
deleted file mode 100644
index 081788b..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
+++ /dev/null
@@ -1,386 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
-import org.apache.kerby.kerberos.kerb.type.KerberosTime;
-import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
-import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
-import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
-import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
-import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
-import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.crypto.SecretKey;
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KerberosTicket;
-import java.io.File;
-import java.io.IOException;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.nio.ByteBuffer;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.Date;
-import java.util.List;
-
-/**
- * Some utility functions to translate types between GSS and Kerby
- */
-public class KerbyUtil {
- private static final int KERBEROS_TICKET_NUM_FLAGS = 32; // KerberosTicket.NUM_LENGTH
-
- /**
- * Construct TgtTicket from info contained in KerberosTicket
- * @param kerberosTicket
- * @return
- * @throws GSSException
- */
- public static TgtTicket getTgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
- String clientName = kerberosTicket.getClient().getName();
- PrincipalName clientPrincipal = new PrincipalName(clientName);
-
- byte[] asn1Encoded = kerberosTicket.getEncoded();
- Ticket ticket = getTicketFromAsn1Encoded(asn1Encoded);
-
- EncAsRepPart encAsRepPart = new EncAsRepPart();
- fillEncKdcRepPart(encAsRepPart, kerberosTicket);
-
- TgtTicket tgt = new TgtTicket(ticket, encAsRepPart, clientPrincipal);
- return tgt;
- }
-
- /**
- * Init encKdcRepPart members with info from kerberosTicket
- * @param encKdcRepPart
- * @param kerberosTicket
- */
- public static void fillEncKdcRepPart(EncKdcRepPart encKdcRepPart, KerberosTicket kerberosTicket) {
- String clientName = kerberosTicket.getClient().getName();
- PrincipalName clientPrincipal = new PrincipalName(clientName);
-
- SecretKey secretKey = kerberosTicket.getSessionKey();
- int keyType = kerberosTicket.getSessionKeyType();
- EncryptionKey key = new EncryptionKey(keyType, secretKey.getEncoded());
- encKdcRepPart.setKey(key);
-
- encKdcRepPart.setSname(clientPrincipal);
- Date authTimeDate = kerberosTicket.getAuthTime();
- if (authTimeDate != null) {
- encKdcRepPart.setAuthTime(new KerberosTime(authTimeDate.getTime()));
- }
- Date startTimeDate = kerberosTicket.getStartTime();
- if (startTimeDate != null) {
- encKdcRepPart.setStartTime(new KerberosTime(startTimeDate.getTime()));
- }
- KerberosTime endTime = new KerberosTime(kerberosTicket.getEndTime().getTime());
- encKdcRepPart.setEndTime(endTime);
-
-
- InetAddress[] clientAddresses = kerberosTicket.getClientAddresses();
- HostAddresses hostAddresses = null;
- if (clientAddresses != null) {
- hostAddresses = new HostAddresses();
- for (InetAddress iAddr : clientAddresses) {
- hostAddresses.add(new HostAddress(iAddr));
- }
- }
- encKdcRepPart.setCaddr(hostAddresses);
-
- boolean[] tf = kerberosTicket.getFlags();
- TicketFlags ticketFlags = getTicketFlags(tf);
- encKdcRepPart.setFlags(ticketFlags);
-
-
- /* encKdcRepPart.setKeyExpiration();
- encKdcRepPart.setLastReq();
- encKdcRepPart.setNonce(); */
-
- Date renewTillDate = kerberosTicket.getRenewTill();
- KerberosTime renewTill = renewTillDate == null ? null : new KerberosTime(renewTillDate.getTime());
- encKdcRepPart.setRenewTill(renewTill);
-
- String serverRealm = kerberosTicket.getServer().getRealm();
- encKdcRepPart.setSrealm(serverRealm);
- }
-
- /**
- * Generate TicketFlags instance from flags
- * @param flags each item in flags identifies an bit setted or not
- * @return
- */
- public static TicketFlags getTicketFlags(boolean[] flags) {
- if (flags == null || flags.length != KERBEROS_TICKET_NUM_FLAGS) {
- return null;
- }
- int value = 0;
- for (boolean flag : flags) {
- value = (value << 1) + (flag ? 1 : 0);
- }
- return new TicketFlags(value);
- }
-
- /**
- * Decode each flag in ticketFlags into an boolean array
- * @param ticketFlags
- * @return
- */
- public static boolean[] ticketFlagsToBooleans(TicketFlags ticketFlags) {
- boolean[] ret = new boolean[KERBEROS_TICKET_NUM_FLAGS];
- int value = ticketFlags.getFlags();
- for (int i = 0; i < KERBEROS_TICKET_NUM_FLAGS; i++) {
- ret[KERBEROS_TICKET_NUM_FLAGS - i - 1] = (value & 0x1) != 0;
- value = value >> 1;
- }
- return ret;
- }
-
- /**
- * Construct a Ticket from bytes encoded by Asn1
- * @param encoded
- * @return
- * @throws GSSException
- */
- public static Ticket getTicketFromAsn1Encoded(byte[] encoded) throws GSSException {
- Ticket ticket = new Ticket();
- ByteBuffer byteBuffer = ByteBuffer.wrap(encoded);
- try {
- ticket.decode(byteBuffer);
- return ticket;
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- }
-
- /**
- * Scan current context for SgtTicket
- * @param client
- * @param service
- * @return
- */
- public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
- throws GSSException {
- KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
- return getSgtTicketFromKerberosTicket(ticket);
- }
-
- /**
- * Construct a SgtTicket from KerberosTicket
- * @param kerberosTicket
- * @return
- * @throws GSSException
- */
- public static SgtTicket getSgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
- if (kerberosTicket == null) {
- return null;
- }
-
- Ticket ticket = getTicketFromAsn1Encoded(kerberosTicket.getEncoded());
-
- EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
- fillEncKdcRepPart(encTgsRepPart, kerberosTicket);
-
- SgtTicket sgt = new SgtTicket(ticket, encTgsRepPart);
- return sgt;
- }
-
- /**
- * Apply SgtTicket by sending TGS_REQ to KDC
- * @param ticket
- * @param service
- * @return
- */
- public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
- TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
- return applySgtCredential(tgt, service);
- }
-
- public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
- KrbClientBase client = getKrbClient();
-
- SgtTicket sgt = null;
- try {
- client.init();
- sgt = client.requestSgt(tgt, server);
- return sgt;
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- }
-
- public static KerberosTicket convertKrbTicketToKerberosTicket(KrbTicket krbTicket, String clientName)
- throws GSSException {
- byte[] asn1Encoding;
- try {
- asn1Encoding = krbTicket.getTicket().encode();
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
-
- byte[] sessionKey = krbTicket.getSessionKey().getKeyData();
- int keyType = krbTicket.getSessionKey().getKeyType().getValue();
-
- EncKdcRepPart encKdcRepPart = krbTicket.getEncKdcRepPart();
- KerberosPrincipal client = new KerberosPrincipal(clientName);
-
- PrincipalName serverPrinc = krbTicket.getTicket().getSname();
- String serverName = serverPrinc.getName() + "@" + krbTicket.getTicket().getRealm();
- KerberosPrincipal server = new KerberosPrincipal(serverName, serverPrinc.getNameType().getValue());
-
- TicketFlags ticketFlags = encKdcRepPart.getFlags();
- boolean[] flags = ticketFlagsToBooleans(ticketFlags);
-
- Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
- Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
- Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
- Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
-
- InetAddress[] clientAddresses = null;
- List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
- if (hostAddresses != null) {
- int i = 0;
- clientAddresses = new InetAddress[hostAddresses.size()];
- for (HostAddress hostAddr : hostAddresses) {
- try {
- InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
- clientAddresses[i++] = iAddr;
- } catch (UnknownHostException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
- }
- }
- }
-
- KerberosTicket ticket = new KerberosTicket(
- asn1Encoding,
- client,
- server,
- sessionKey,
- keyType,
- flags,
- authTime,
- startTime,
- endTime,
- renewTill,
- clientAddresses
- );
- return ticket;
- }
-
- public static KrbClientBase getKrbClient() {
- KrbClientBase client;
- try {
- File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
- if (confSpecified != null) {
- client = new KrbClientBase(confSpecified);
- } else {
- client = new KrbClientBase(); // get configure file from environment variable or default path
- }
-
- return client;
- } catch (KrbException e) {
- return null;
- }
- }
-
- public static EncryptionKey[] convertKerberosKeyToEncryptionKey(KerberosKey[] krbKeys) {
- if (krbKeys == null) {
- return null;
- }
- EncryptionKey[] keys = new EncryptionKey[krbKeys.length];
- int i = 0;
- for (KerberosKey krbKey : krbKeys) {
- keys[i++] = new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
- }
- return keys;
- }
-
- /**
- * Filter out an appropriate KerberosKey from krbKeys and generate a
- * EncryptionKey accordingly
- *
- * @param krbKeys
- * @param encType
- * @param kvno
- * @return
- */
- public static EncryptionKey getEncryptionKey(KerberosKey[] krbKeys, int encType, int kvno) {
- if (krbKeys == null) {
- return null;
- }
- for (KerberosKey krbKey : krbKeys) {
- if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
- return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
- }
- }
- return null;
- }
-
- /**
- * Get value of predefined system property
- * @param name
- * @return
- */
- private static String getSystemProperty(String name) {
- if (name == null) {
- return null;
- }
-
- final String propertyName = name;
- try {
- return AccessController.doPrivileged(
- new PrivilegedExceptionAction<String>() {
- public String run() {
- return System.getProperty(propertyName);
- }
- });
- } catch (PrivilegedActionException e) {
- return null; // ignored
- }
- }
-
- public static com.sun.security.jgss.AuthorizationDataEntry[]
- kerbyAuthorizationDataToJgssAuthorizationDataEntries(AuthorizationData authData) {
- if (authData == null) {
- return null;
- }
- List<AuthorizationDataEntry> kerbyEntries = authData.getElements();
- com.sun.security.jgss.AuthorizationDataEntry[] entries =
- new com.sun.security.jgss.AuthorizationDataEntry[kerbyEntries.size()];
- for (int i = 0; i < kerbyEntries.size(); i++) {
- entries[i] = new com.sun.security.jgss.AuthorizationDataEntry(
- kerbyEntries.get(i).getAuthzType().getValue(),
- kerbyEntries.get(i).getAuthzData());
- }
- return entries;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
deleted file mode 100644
index 6a76e4c..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class MicTokenV1 extends KerbyGssTokenV1 {
- public MicTokenV1(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_MIC_V1, context);
- calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
- }
-
- // This is called to construct MicToken from MicToken bytes
- MicTokenV1(KerbyContext context,
- MessageProp messageProp,
- byte[] inToken,
- int tokenOffset,
- int tokenLength) throws GSSException {
- super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
- }
-
- public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
- byte[] data = getMic();
- System.arraycopy(data, 0, outToken, offset, data.length);
- return data.length;
- }
-
- /**
- * Get bytes for this Mic token
- * @return
- */
- public byte[] getMic() throws GSSException {
- ByteArrayOutputStream os = new ByteArrayOutputStream(64);
- getMic(os);
- return os.toByteArray();
- }
-
- public void getMic(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
- }
- }
-
- public void verify(InputStream is) throws GSSException {
- byte[] data;
- try {
- data = new byte[is.available()];
- is.read(data);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Read plain data for MicTokenV1 error:" + e.getMessage());
- }
- verify(data, 0, data.length);
- }
-
- public void verify(byte[] data, int offset, int len) throws GSSException {
- verifyToken(null, data, offset, len, 0);
- }
-
- protected int getTokenSizeWithoutGssHeader() {
- return getTokenHeaderSize();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
deleted file mode 100644
index 7ba27ab..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.IOException;
-import java.io.OutputStream;
-
-public class MicTokenV2 extends KerbyGssTokenV2 {
- private MessageProp prop;
-
- // This is called to construct MicToken from user input
- MicTokenV2(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_MIC_V2, context);
-
- prop = messageProp;
- if (prop == null) {
- prop = new MessageProp(0, false);
- }
-
- generateCheckSum(prop, inMsg, msgOffset, msgLength);
- }
-
- // This is called to construct MicToken from MicToken bytes
- MicTokenV2(KerbyContext context,
- MessageProp messageProp,
- byte[] inToken,
- int tokenOffset,
- int tokenLength) throws GSSException {
- super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
- this.prop = messageProp;
- }
-
- public int getMic(byte[] outToken, int offset) {
- encodeHeader(outToken, offset);
- System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
- return TOKEN_HEADER_SIZE + checkSum.length;
- }
-
- /**
- * Get bytes for this Mic token
- * @return
- */
- public byte[] getMic() {
- byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
- getMic(ret, 0);
- return ret;
- }
-
- public void getMic(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- os.write(checkSum);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
- }
- }
-
- /**
- * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
- * @param inMsg
- * @param msgOffset
- * @param msgLen
- * @throws GSSException
- */
- public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
- if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
- throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
deleted file mode 100644
index 8ecdae4..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.crypto.util.Random;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import sun.security.jgss.GSSHeader;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class WrapTokenV1 extends KerbyGssTokenV1 {
- public static final int CONFOUNDER_SIZE = 8;
-
- private boolean privacy;
-
- private byte[] inData;
- private int inOffset;
- private int inLen;
-
- private int paddingLen;
- private byte[] confounder;
- private int tokenBodyLen;
-
- private byte[] bodyData;
- private int bodyOffset;
- private int bodyLen;
-
- // for reconstruct
- private int rawDataLength;
- private byte[] rawData;
- private int rawDataOffset;
-
-
- // Generate wrap token according user data
- public WrapTokenV1(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp prop) throws GSSException {
- super(TOKEN_WRAP_V1, context);
-
- paddingLen = getPaddingLength(msgLength);
- confounder = Random.makeBytes(CONFOUNDER_SIZE);
- tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
-
- calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
-
- if (!context.getConfState()) {
- prop.setPrivacy(false);
- }
- privacy = prop.getPrivacy();
- inData = inMsg;
- inOffset = msgOffset;
- inLen = msgLength;
- }
-
- // Reconstruct a token from token bytes
- public WrapTokenV1(KerbyContext context, MessageProp prop,
- byte[] token, int offset, int len) throws GSSException {
- super(TOKEN_WRAP_V1, context, prop, token, offset, len);
- // adjust the offset to the beginning of the body
- bodyData = token;
- bodyOffset = offset + reconHeaderLen;
- bodyLen = len - reconHeaderLen;
- getRawData(prop);
- }
-
- // Reconstruct a token from token bytes stream
- public WrapTokenV1(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- super(TOKEN_WRAP_V1, context, prop, is);
- byte[] token;
- int len;
- try {
- len = is.available();
- token = new byte[len];
- is.read(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
- }
- bodyData = token;
- bodyOffset = 0;
- bodyLen = len;
- getRawData(prop);
- }
-
- private void getRawData(MessageProp prop) throws GSSException {
- privacy = prop.getPrivacy();
- tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
-
- if (bodyLen < tokenBodyLen) {
- throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
- }
-
- if (privacy) {
- rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
- encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
- paddingLen = rawData[rawData.length - 1];
- rawDataOffset = CONFOUNDER_SIZE;
- } else {
- rawData = bodyData;
- paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
- rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
- }
- rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
-
- verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
- }
-
- // Get plain text data from token data bytes
- public byte[] unwrap() throws GSSException {
- byte[] ret = new byte[rawDataLength];
- System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
- return ret;
- }
-
- public void unwrap(OutputStream os) throws GSSException {
- try {
- os.write(rawData, rawDataOffset, rawDataLength);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error in output wrap token v1 data bytes:" + e.getMessage());
- }
- }
-
- public byte[] wrap() throws GSSException {
- ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
- wrap(os);
- return os.toByteArray();
- }
-
- public void wrap(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- if (privacy) {
- byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
- encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
- os.write(enc);
- } else {
- os.write(confounder);
- os.write(inData, inOffset, inLen);
- os.write(getPaddingBytes(paddingLen));
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
- }
- }
-
- protected int getTokenSizeWithoutGssHeader() {
- return tokenBodyLen + getTokenHeaderSize();
- }
-
- private int getPaddingLength(int dataLen) {
- if (encryptor.isArcFourHmac()) {
- return 1;
- }
- return 8 - (dataLen % 8);
- }
-
- private byte[] getPaddingBytes(int len) {
- byte[] ret = new byte[len];
- int i = 0;
- while (i < len) {
- ret[i++] = (byte) len;
- }
- return ret;
- }
-
- public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
- throws GSSException {
- return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
- - encryptor.getCheckSumSize()
- - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
- - CONFOUNDER_SIZE - 8;
- }
-}
[13/18] directory-kerby git commit: Refactoring the package and
structure
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
new file mode 100644
index 0000000..5220900
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
@@ -0,0 +1,282 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 4121.
+ */
+abstract class GssTokenV2 extends GssTokenBase {
+ public static final int CONFOUNDER_SIZE = 16;
+ public static final int TOKEN_HEADER_SIZE = 16;
+ private static final int OFFSET_EC = 4;
+ private static final int OFFSET_RRC = 6;
+
+ // context states
+ private boolean isInitiator = true;
+ private boolean acceptorSubKey = false;
+ private boolean confState = true;
+ private int sequenceNumber;
+
+ // token data
+ protected int tokenType;
+ private byte[] header = new byte[TOKEN_HEADER_SIZE];
+ protected byte[] tokenData;
+
+ protected byte[] checkSum;
+ private int ec;
+ private int rrc;
+
+ static final int KG_USAGE_ACCEPTOR_SEAL = 22;
+ static final int KG_USAGE_ACCEPTOR_SIGN = 23;
+ static final int KG_USAGE_INITIATOR_SEAL = 24;
+ static final int KG_USAGE_INITIATOR_SIGN = 25;
+ private int keyUsage;
+
+ private static final int FLAG_SENT_BY_ACCEPTOR = 1;
+ private static final int FLAG_SEALED = 2;
+ private static final int FLAG_ACCEPTOR_SUBKEY = 4;
+
+ protected GssEncryptor encryptor;
+
+
+ // Create a new token
+ GssTokenV2(int tokenType, GssContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ }
+
+ private void initialize(int tokenType, GssContext context, boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.acceptorSubKey = context.getKeyComesFrom() == GssContext.ACCEPTOR_SUBKEY;
+ this.confState = context.getConfState();
+
+ boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
+ if (tokenType == TOKEN_WRAP_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
+ }
+
+ encryptor = context.getGssEncryptor();
+
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ }
+ }
+
+ // Reconstruct token from bytes received
+ GssTokenV2(int tokenType, GssContext context,
+ MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
+ }
+
+ // Reconstruct token from input stream
+ GssTokenV2(int tokenType, GssContext context,
+ MessageProp prop, InputStream is) throws GSSException {
+ initialize(tokenType, context, true);
+
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ reconstructTokenHeader(prop, is);
+
+ int minSize;
+ if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
+ minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
+ } else {
+ minSize = encryptor.getCheckSumSize();
+ }
+
+ try {
+ int tokenLen = is.available();
+
+ if (tokenType == TOKEN_MIC_V2) {
+ tokenLen = minSize;
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ if (tokenLen >= minSize) {
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
+ }
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ tokenData = rotate(tokenData);
+ }
+
+ if (tokenType == TOKEN_MIC_V2
+ || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
+ int checksumLen = encryptor.getCheckSumSize();
+
+ if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
+ }
+
+ checkSum = new byte[checksumLen];
+ System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
+ }
+ }
+
+ private byte[] rotate(byte[] data) {
+ int dataLen = data.length;
+ if (rrc % dataLen != 0) {
+ rrc = rrc % dataLen;
+ byte[] newBytes = new byte[dataLen];
+
+ System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
+ System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
+ data = newBytes;
+ }
+ return data;
+ }
+
+ public int getKeyUsage() {
+ return keyUsage;
+ }
+
+ public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
+ // generate token header
+ createTokenHeader(prop.getPrivacy());
+
+ if (tokenType == TOKEN_MIC_V2
+ || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ checkSum = getCheckSum(data, offset, len);
+ }
+
+ if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) (checkSum.length >>> 8);
+ header[5] = (byte) (checkSum.length & 0xFF);
+ }
+ }
+
+ public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
+ int confidentialFlag = header[2] & 2;
+ if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
+ header[4] = 0;
+ header[5] = 0;
+ header[6] = 0;
+ header[7] = 0;
+ }
+ return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
+ }
+
+ public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
+ byte[] dataCheckSum = getCheckSum(data, offset, len);
+ return MessageDigest.isEqual(checkSum, dataCheckSum);
+ }
+
+ // Create a new header
+ private void createTokenHeader(boolean privacy) {
+ header[0] = (byte) (tokenType >>> 8);
+ header[1] = (byte) tokenType;
+
+ int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
+ flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
+ flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
+
+ header[2] = (byte) (flags & 0xFF);
+ header[3] = (byte) 0xFF;
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) 0;
+ header[5] = (byte) 0;
+ header[6] = (byte) 0;
+ header[7] = (byte) 0;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ header[4] = (byte) 0xFF;
+ header[5] = (byte) 0xFF;
+ header[6] = (byte) 0xFF;
+ header[7] = (byte) 0xFF;
+ }
+ writeBigEndian(header, 12, sequenceNumber);
+ }
+
+ // Reconstruct a token header
+ private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
+ try {
+ if (is.read(header, 0, header.length) != header.length) {
+ throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
+ }
+ int tokenIDRecv = (((int) header[0]) << 8) + header[1];
+ if (tokenIDRecv != tokenType) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
+ int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
+ if (senderFlagRecv != senderFlag) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
+ }
+
+ int confFlagRecv = header[2] & FLAG_SEALED;
+ if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
+ prop.setPrivacy(true);
+ } else {
+ prop.setPrivacy(false);
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ if (header[3] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+
+ ec = readBigEndian(header, OFFSET_EC, 2);
+ rrc = readBigEndian(header, OFFSET_RRC, 2);
+ } else if (tokenType == TOKEN_MIC_V2) {
+ for (int i = 3; i < 8; i++) {
+ if ((header[i] & 0xFF) != 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+ }
+ }
+
+ prop.setQOP(0);
+ sequenceNumber = readBigEndian(header, 0, 8);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
+ }
+ }
+
+ public int encodeHeader(byte[] buf, int offset) {
+ System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
+ return TOKEN_HEADER_SIZE;
+ }
+
+ public void encodeHeader(OutputStream os) throws IOException {
+ os.write(header);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
new file mode 100644
index 0000000..372abcb
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -0,0 +1,386 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.crypto.SecretKey;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Date;
+import java.util.List;
+
+/**
+ * Some utility functions to translate types between GSS and Kerby
+ */
+public class GssUtil {
+ private static final int KERBEROS_TICKET_NUM_FLAGS = 32; // KerberosTicket.NUM_LENGTH
+
+ /**
+ * Construct TgtTicket from info contained in KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static TgtTicket getTgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ byte[] asn1Encoded = kerberosTicket.getEncoded();
+ Ticket ticket = getTicketFromAsn1Encoded(asn1Encoded);
+
+ EncAsRepPart encAsRepPart = new EncAsRepPart();
+ fillEncKdcRepPart(encAsRepPart, kerberosTicket);
+
+ TgtTicket tgt = new TgtTicket(ticket, encAsRepPart, clientPrincipal);
+ return tgt;
+ }
+
+ /**
+ * Init encKdcRepPart members with info from kerberosTicket
+ * @param encKdcRepPart
+ * @param kerberosTicket
+ */
+ public static void fillEncKdcRepPart(EncKdcRepPart encKdcRepPart, KerberosTicket kerberosTicket) {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ SecretKey secretKey = kerberosTicket.getSessionKey();
+ int keyType = kerberosTicket.getSessionKeyType();
+ EncryptionKey key = new EncryptionKey(keyType, secretKey.getEncoded());
+ encKdcRepPart.setKey(key);
+
+ encKdcRepPart.setSname(clientPrincipal);
+ Date authTimeDate = kerberosTicket.getAuthTime();
+ if (authTimeDate != null) {
+ encKdcRepPart.setAuthTime(new KerberosTime(authTimeDate.getTime()));
+ }
+ Date startTimeDate = kerberosTicket.getStartTime();
+ if (startTimeDate != null) {
+ encKdcRepPart.setStartTime(new KerberosTime(startTimeDate.getTime()));
+ }
+ KerberosTime endTime = new KerberosTime(kerberosTicket.getEndTime().getTime());
+ encKdcRepPart.setEndTime(endTime);
+
+
+ InetAddress[] clientAddresses = kerberosTicket.getClientAddresses();
+ HostAddresses hostAddresses = null;
+ if (clientAddresses != null) {
+ hostAddresses = new HostAddresses();
+ for (InetAddress iAddr : clientAddresses) {
+ hostAddresses.add(new HostAddress(iAddr));
+ }
+ }
+ encKdcRepPart.setCaddr(hostAddresses);
+
+ boolean[] tf = kerberosTicket.getFlags();
+ TicketFlags ticketFlags = getTicketFlags(tf);
+ encKdcRepPart.setFlags(ticketFlags);
+
+
+ /* encKdcRepPart.setKeyExpiration();
+ encKdcRepPart.setLastReq();
+ encKdcRepPart.setNonce(); */
+
+ Date renewTillDate = kerberosTicket.getRenewTill();
+ KerberosTime renewTill = renewTillDate == null ? null : new KerberosTime(renewTillDate.getTime());
+ encKdcRepPart.setRenewTill(renewTill);
+
+ String serverRealm = kerberosTicket.getServer().getRealm();
+ encKdcRepPart.setSrealm(serverRealm);
+ }
+
+ /**
+ * Generate TicketFlags instance from flags
+ * @param flags each item in flags identifies an bit setted or not
+ * @return
+ */
+ public static TicketFlags getTicketFlags(boolean[] flags) {
+ if (flags == null || flags.length != KERBEROS_TICKET_NUM_FLAGS) {
+ return null;
+ }
+ int value = 0;
+ for (boolean flag : flags) {
+ value = (value << 1) + (flag ? 1 : 0);
+ }
+ return new TicketFlags(value);
+ }
+
+ /**
+ * Decode each flag in ticketFlags into an boolean array
+ * @param ticketFlags
+ * @return
+ */
+ public static boolean[] ticketFlagsToBooleans(TicketFlags ticketFlags) {
+ boolean[] ret = new boolean[KERBEROS_TICKET_NUM_FLAGS];
+ int value = ticketFlags.getFlags();
+ for (int i = 0; i < KERBEROS_TICKET_NUM_FLAGS; i++) {
+ ret[KERBEROS_TICKET_NUM_FLAGS - i - 1] = (value & 0x1) != 0;
+ value = value >> 1;
+ }
+ return ret;
+ }
+
+ /**
+ * Construct a Ticket from bytes encoded by Asn1
+ * @param encoded
+ * @return
+ * @throws GSSException
+ */
+ public static Ticket getTicketFromAsn1Encoded(byte[] encoded) throws GSSException {
+ Ticket ticket = new Ticket();
+ ByteBuffer byteBuffer = ByteBuffer.wrap(encoded);
+ try {
+ ticket.decode(byteBuffer);
+ return ticket;
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ /**
+ * Scan current context for SgtTicket
+ * @param client
+ * @param service
+ * @return
+ */
+ public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
+ throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
+ return getSgtTicketFromKerberosTicket(ticket);
+ }
+
+ /**
+ * Construct a SgtTicket from KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static SgtTicket getSgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ if (kerberosTicket == null) {
+ return null;
+ }
+
+ Ticket ticket = getTicketFromAsn1Encoded(kerberosTicket.getEncoded());
+
+ EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
+ fillEncKdcRepPart(encTgsRepPart, kerberosTicket);
+
+ SgtTicket sgt = new SgtTicket(ticket, encTgsRepPart);
+ return sgt;
+ }
+
+ /**
+ * Apply SgtTicket by sending TGS_REQ to KDC
+ * @param ticket
+ * @param service
+ * @return
+ */
+ public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
+ TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
+ return applySgtCredential(tgt, service);
+ }
+
+ public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
+ KrbClientBase client = getKrbClient();
+
+ SgtTicket sgt = null;
+ try {
+ client.init();
+ sgt = client.requestSgt(tgt, server);
+ return sgt;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ public static KerberosTicket convertKrbTicketToKerberosTicket(KrbTicket krbTicket, String clientName)
+ throws GSSException {
+ byte[] asn1Encoding;
+ try {
+ asn1Encoding = krbTicket.getTicket().encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+
+ byte[] sessionKey = krbTicket.getSessionKey().getKeyData();
+ int keyType = krbTicket.getSessionKey().getKeyType().getValue();
+
+ EncKdcRepPart encKdcRepPart = krbTicket.getEncKdcRepPart();
+ KerberosPrincipal client = new KerberosPrincipal(clientName);
+
+ PrincipalName serverPrinc = krbTicket.getTicket().getSname();
+ String serverName = serverPrinc.getName() + "@" + krbTicket.getTicket().getRealm();
+ KerberosPrincipal server = new KerberosPrincipal(serverName, serverPrinc.getNameType().getValue());
+
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ boolean[] flags = ticketFlagsToBooleans(ticketFlags);
+
+ Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
+ Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
+ Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
+ Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
+
+ InetAddress[] clientAddresses = null;
+ List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
+ if (hostAddresses != null) {
+ int i = 0;
+ clientAddresses = new InetAddress[hostAddresses.size()];
+ for (HostAddress hostAddr : hostAddresses) {
+ try {
+ InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
+ clientAddresses[i++] = iAddr;
+ } catch (UnknownHostException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
+ }
+ }
+ }
+
+ KerberosTicket ticket = new KerberosTicket(
+ asn1Encoding,
+ client,
+ server,
+ sessionKey,
+ keyType,
+ flags,
+ authTime,
+ startTime,
+ endTime,
+ renewTill,
+ clientAddresses
+ );
+ return ticket;
+ }
+
+ public static KrbClientBase getKrbClient() {
+ KrbClientBase client;
+ try {
+ File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
+ if (confSpecified != null) {
+ client = new KrbClientBase(confSpecified);
+ } else {
+ client = new KrbClientBase(); // get configure file from environment variable or default path
+ }
+
+ return client;
+ } catch (KrbException e) {
+ return null;
+ }
+ }
+
+ public static EncryptionKey[] convertKerberosKeyToEncryptionKey(KerberosKey[] krbKeys) {
+ if (krbKeys == null) {
+ return null;
+ }
+ EncryptionKey[] keys = new EncryptionKey[krbKeys.length];
+ int i = 0;
+ for (KerberosKey krbKey : krbKeys) {
+ keys[i++] = new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ return keys;
+ }
+
+ /**
+ * Filter out an appropriate KerberosKey from krbKeys and generate a
+ * EncryptionKey accordingly
+ *
+ * @param krbKeys
+ * @param encType
+ * @param kvno
+ * @return
+ */
+ public static EncryptionKey getEncryptionKey(KerberosKey[] krbKeys, int encType, int kvno) {
+ if (krbKeys == null) {
+ return null;
+ }
+ for (KerberosKey krbKey : krbKeys) {
+ if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
+ return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get value of predefined system property
+ * @param name
+ * @return
+ */
+ private static String getSystemProperty(String name) {
+ if (name == null) {
+ return null;
+ }
+
+ final String propertyName = name;
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<String>() {
+ public String run() {
+ return System.getProperty(propertyName);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ return null; // ignored
+ }
+ }
+
+ public static com.sun.security.jgss.AuthorizationDataEntry[]
+ kerbyAuthorizationDataToJgssAuthorizationDataEntries(AuthorizationData authData) {
+ if (authData == null) {
+ return null;
+ }
+ List<AuthorizationDataEntry> kerbyEntries = authData.getElements();
+ com.sun.security.jgss.AuthorizationDataEntry[] entries =
+ new com.sun.security.jgss.AuthorizationDataEntry[kerbyEntries.size()];
+ for (int i = 0; i < kerbyEntries.size(); i++) {
+ entries[i] = new com.sun.security.jgss.AuthorizationDataEntry(
+ kerbyEntries.get(i).getAuthzType().getValue(),
+ kerbyEntries.get(i).getAuthzData());
+ }
+ return entries;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
new file mode 100644
index 0000000..63baa6b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class MicTokenV1 extends GssTokenV1 {
+ public MicTokenV1(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V1, context);
+ calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV1(GssContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
+ }
+
+ public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
+ byte[] data = getMic();
+ System.arraycopy(data, 0, outToken, offset, data.length);
+ return data.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(64);
+ getMic(os);
+ return os.toByteArray();
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
+ }
+ }
+
+ public void verify(InputStream is) throws GSSException {
+ byte[] data;
+ try {
+ data = new byte[is.available()];
+ is.read(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Read plain data for MicTokenV1 error:" + e.getMessage());
+ }
+ verify(data, 0, data.length);
+ }
+
+ public void verify(byte[] data, int offset, int len) throws GSSException {
+ verifyToken(null, data, offset, len, 0);
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return getTokenHeaderSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
new file mode 100644
index 0000000..2441823
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class MicTokenV2 extends GssTokenV2 {
+ private MessageProp prop;
+
+ // This is called to construct MicToken from user input
+ MicTokenV2(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V2, context);
+
+ prop = messageProp;
+ if (prop == null) {
+ prop = new MessageProp(0, false);
+ }
+
+ generateCheckSum(prop, inMsg, msgOffset, msgLength);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV2(GssContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
+ this.prop = messageProp;
+ }
+
+ public int getMic(byte[] outToken, int offset) {
+ encodeHeader(outToken, offset);
+ System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
+ return TOKEN_HEADER_SIZE + checkSum.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() {
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
+ getMic(ret, 0);
+ return ret;
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(checkSum);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
+ * @param inMsg
+ * @param msgOffset
+ * @param msgLen
+ * @throws GSSException
+ */
+ public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
+ if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
new file mode 100644
index 0000000..03395bb
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.crypto.util.Random;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class WrapTokenV1 extends GssTokenV1 {
+ public static final int CONFOUNDER_SIZE = 8;
+
+ private boolean privacy;
+
+ private byte[] inData;
+ private int inOffset;
+ private int inLen;
+
+ private int paddingLen;
+ private byte[] confounder;
+ private int tokenBodyLen;
+
+ private byte[] bodyData;
+ private int bodyOffset;
+ private int bodyLen;
+
+ // for reconstruct
+ private int rawDataLength;
+ private byte[] rawData;
+ private int rawDataOffset;
+
+
+ // Generate wrap token according user data
+ public WrapTokenV1(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp prop) throws GSSException {
+ super(TOKEN_WRAP_V1, context);
+
+ paddingLen = getPaddingLength(msgLength);
+ confounder = Random.makeBytes(CONFOUNDER_SIZE);
+ tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
+
+ calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+ privacy = prop.getPrivacy();
+ inData = inMsg;
+ inOffset = msgOffset;
+ inLen = msgLength;
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV1(GssContext context, MessageProp prop,
+ byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, token, offset, len);
+ // adjust the offset to the beginning of the body
+ bodyData = token;
+ bodyOffset = offset + reconHeaderLen;
+ bodyLen = len - reconHeaderLen;
+ getRawData(prop);
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV1(GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, is);
+ byte[] token;
+ int len;
+ try {
+ len = is.available();
+ token = new byte[len];
+ is.read(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
+ }
+ bodyData = token;
+ bodyOffset = 0;
+ bodyLen = len;
+ getRawData(prop);
+ }
+
+ private void getRawData(MessageProp prop) throws GSSException {
+ privacy = prop.getPrivacy();
+ tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
+
+ if (bodyLen < tokenBodyLen) {
+ throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
+ }
+
+ if (privacy) {
+ rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
+ paddingLen = rawData[rawData.length - 1];
+ rawDataOffset = CONFOUNDER_SIZE;
+ } else {
+ rawData = bodyData;
+ paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
+ rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
+ }
+ rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
+
+ verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
+ }
+
+ // Get plain text data from token data bytes
+ public byte[] unwrap() throws GSSException {
+ byte[] ret = new byte[rawDataLength];
+ System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
+ return ret;
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ try {
+ os.write(rawData, rawDataOffset, rawDataLength);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in output wrap token v1 data bytes:" + e.getMessage());
+ }
+ }
+
+ public byte[] wrap() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
+ wrap(os);
+ return os.toByteArray();
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ if (privacy) {
+ byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
+ os.write(enc);
+ } else {
+ os.write(confounder);
+ os.write(inData, inOffset, inLen);
+ os.write(getPaddingBytes(paddingLen));
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
+ }
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return tokenBodyLen + getTokenHeaderSize();
+ }
+
+ private int getPaddingLength(int dataLen) {
+ if (encryptor.isArcFourHmac()) {
+ return 1;
+ }
+ return 8 - (dataLen % 8);
+ }
+
+ private byte[] getPaddingBytes(int len) {
+ byte[] ret = new byte[len];
+ int i = 0;
+ while (i < len) {
+ ret[i++] = (byte) len;
+ }
+ return ret;
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, GssEncryptor encryptor)
+ throws GSSException {
+ return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
+ - encryptor.getCheckSumSize()
+ - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
+ - CONFOUNDER_SIZE - 8;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
new file mode 100644
index 0000000..8f4cae4
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
@@ -0,0 +1,159 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.Message;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+
+public class WrapTokenV2 extends GssTokenV2 {
+ private MessageProp prop;
+
+ // Generate a token from user input data
+ WrapTokenV2(GssContext context,
+ byte[] data,
+ int dataOffset,
+ int dataLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_WRAP_V2, context);
+
+ prop = messageProp;
+
+ if (prop.getQOP() != 0) {
+ prop.setQOP(0);
+ }
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+
+ generateCheckSum(prop, data, dataOffset, dataLength);
+
+ if (prop.getPrivacy()) {
+ byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
+ System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
+ encodeHeader(toProcess, dataLength);
+
+ tokenData = encryptor.encryptData(toProcess, getKeyUsage());
+ } else {
+ tokenData = data; // keep it for now
+ }
+ }
+
+ /**
+ * Get bytes of the token
+ * @return
+ */
+ public byte[] wrap() {
+ int dataSize = tokenData.length;
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
+ encodeHeader(ret, 0);
+ System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
+ if (ckSize > 0) {
+ System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
+ }
+ return ret;
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(tokenData);
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ if (ckSize > 0) {
+ os.write(checkSum);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV2(GssContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, token, offset, len);
+ this.prop = prop;
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV2(GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, is);
+ this.prop = prop;
+ }
+
+ /**
+ * Get plain text data from token bytes
+ * @param outBuffer
+ * @param offset
+ * @return plain text contained in the wrap token
+ * @throws GSSException
+ */
+ public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
+ int lenToCopy;
+ if (prop.getPrivacy()) {
+ byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
+ lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
+ } else {
+ lenToCopy = tokenData.length - encryptor.getCheckSumSize();
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
+
+ if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
+ }
+ }
+ return outBuffer;
+ }
+
+ public byte[] unwrap() throws GSSException {
+ return unwrap(null, 0);
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ byte[] data = unwrap();
+ try {
+ os.write(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, GssEncryptor encryptor)
+ throws GSSException {
+ if (confReq) {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
+ } else {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
deleted file mode 100644
index adacb27..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi;
-
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
-import org.ietf.jgss.GSSCredential;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSContextSpi;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-import sun.security.jgss.spi.MechanismFactory;
-
-import java.security.Provider;
-
-/**
- * Kerby Kerberos V5 plugin for JGSS
- */
-public class KerbyMechFactory implements MechanismFactory {
- private static final Provider PROVIDER =
- new org.apache.kerby.kerberos.kerb.gssapi.Provider();
-
- private static final String KRB5_OID_STRING = "1.2.840.113554.1.2.2";
- private static final Oid KRB5_OID = createOid(KRB5_OID_STRING);
-
- private static Oid[] nameTypes =
- new Oid[] {
- GSSName.NT_USER_NAME,
- GSSName.NT_EXPORT_NAME,
- GSSName.NT_HOSTBASED_SERVICE
- };
-
- private final GSSCaller caller;
-
- public Oid getMechanismOid() {
- return KRB5_OID;
- }
-
- public Provider getProvider() {
- return PROVIDER;
- }
-
- public Oid[] getNameTypes() throws GSSException {
- return nameTypes;
- }
-
- public KerbyMechFactory(GSSCaller caller) {
- this.caller = caller;
- }
-
- public GSSNameSpi getNameElement(String nameStr, Oid nameType)
- throws GSSException {
- return KerbyNameElement.getInstance(nameStr, nameType);
- }
-
- public GSSNameSpi getNameElement(byte[] name, Oid nameType)
- throws GSSException {
- return KerbyNameElement.getInstance(name.toString(), nameType);
- }
-
- // Used by initiator
- public GSSContextSpi getMechanismContext(GSSNameSpi peer,
- GSSCredentialSpi myInitiatorCred,
- int lifetime) throws GSSException {
- if (peer != null && !(peer instanceof KerbyNameElement)) {
- peer = KerbyNameElement.getInstance(peer.toString(), peer.getStringNameType());
- }
- if (myInitiatorCred == null) {
- myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
- }
- return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
- }
-
- public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
- throws GSSException {
- if (myAcceptorCred == null) {
- myAcceptorCred = getCredentialElement(null, 0,
- GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
- }
- return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
- }
-
- // Reconstruct from previously exported context
- public GSSContextSpi getMechanismContext(byte[] exportedContext)
- throws GSSException {
- return new KerbyContext(caller, exportedContext);
- }
-
- public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
- int initLifetime,
- int acceptLifetime,
- int usage)
- throws GSSException {
- if (name != null && !(name instanceof KerbyNameElement)) {
- name = KerbyNameElement.getInstance(name.toString(), name.getStringNameType());
- }
-
- KerbyCredElement credElement;
-
- if (usage == GSSCredential.INITIATE_ONLY) {
- credElement = KerbyInitCred.getInstance(caller, (KerbyNameElement) name, initLifetime);
- } else if (usage == GSSCredential.ACCEPT_ONLY) {
- credElement = KerbyAcceptCred.getInstance(caller, (KerbyNameElement) name, acceptLifetime);
- } else if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
- throw new GSSException(GSSException.FAILURE, -1, "Unsupported usage mode: INITIATE_AND_ACCEPT");
- } else {
- throw new GSSException(GSSException.FAILURE, -1, "Unknown usage mode: " + usage);
- }
-
- return credElement;
- }
-
- private static Oid createOid(String oidStr) {
- Oid retVal;
- try {
- retVal = new Oid(oidStr);
- } catch (GSSException e) {
- retVal = null;
- }
- return retVal;
- }
-
- public static Oid getOid() {
- return KRB5_OID;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
deleted file mode 100644
index ad3a614..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi;
-
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-
-/**
- * Proivder is used to register the implementation of gssapi mechanism into the system
- */
-public final class Provider extends java.security.Provider {
- private static final long serialVersionUID = 3787378212107821987L;
- private static final String INFO = "Kerby GssApi Provider";
- private static final String MECHANISM_GSSAPI = "GssApiMechanism.1.2.840.113554.1.2.2";
- private static final String MECHANISM_GSSAPI_CLASS = "org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory";
-
- public Provider() {
- super("KerbyGssApi", 0.01d, INFO);
-
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- public Void run() {
-
- put(MECHANISM_GSSAPI, MECHANISM_GSSAPI_CLASS);
-
- return null;
- }
- });
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
deleted file mode 100644
index f7ddc31..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
+++ /dev/null
@@ -1,89 +0,0 @@
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.*;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.Set;
-
-/**
- * Utility functions to deal with credentials in Context
- */
-public class CredUtils {
-
- public static <T> Set<T> getContextPrivateCredentials(Class<T> credentialType, AccessControlContext acc) {
- Subject subject = Subject.getSubject(acc);
- Set<T> creds = subject.getPrivateCredentials(credentialType);
- return creds;
- }
-
- public static <T> Set<T> getContextCredentials(final Class<T> credentialType) throws GSSException {
- final AccessControlContext acc = AccessController.getContext();
- try {
- return AccessController.doPrivileged(
- new PrivilegedExceptionAction<Set<T>>() {
- public Set<T> run() throws Exception {
- return CredUtils.getContextPrivateCredentials(credentialType, acc);
- }
- });
- } catch (PrivilegedActionException e) {
- throw new GSSException(GSSException.NO_CRED, -1, "Get credential from context failed");
- }
- }
-
- public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
- final String clientName,
- final String serverName) throws GSSException {
- Set<KerberosTicket> tickets = getContextCredentials(KerberosTicket.class);
- for (KerberosTicket ticket : tickets) {
- if (ticket.isCurrent() && (serverName == null || ticket.getServer().getName().equals(serverName))
- && (clientName == null || ticket.getClient().getName().equals(clientName))) {
- return ticket;
- }
- }
- return null;
- }
-
- public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
- Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
- for (KeyTab tab : tabs) {
- KerberosKey[] keys = tab.getKeys(principal);
- if (keys != null && keys.length > 0) {
- return tab;
- }
- }
- return null;
- }
-
- public static void addCredentialToSubject(final KerberosTicket ticket) throws GSSException {
- final AccessControlContext acc = AccessController.getContext();
-
- final Subject subject = AccessController.doPrivileged(
- new java.security.PrivilegedAction<Subject>() {
- public Subject run() {
- return Subject.getSubject(acc);
- }
- });
-
- AccessController.doPrivileged(
- new java.security.PrivilegedAction<Void>() {
- public Void run() {
- subject.getPrivateCredentials().add(ticket);
- return null;
- }
- });
- }
-
- public static void checkPrincipalPermission(String principalName, String action) {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- ServicePermission sp = new ServicePermission(principalName, action);
- sm.checkPermission(sp);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
deleted file mode 100644
index a7331fa..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KeyTab;
-
-public final class KerbyAcceptCred extends KerbyCredElement {
-
- private final KeyTab keyTab;
-
- public static KerbyAcceptCred getInstance(final GSSCaller caller,
- KerbyNameElement name, int lifeTime) throws GSSException {
-
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- KeyTab keyTab = CredUtils.getKeyTabFromContext(princ);
-
- if (keyTab == null) {
- throw new GSSException(GSSException.NO_CRED, -1,
- "Failed to find any Kerberos credential for " + name.getPrincipalName().getName());
- }
-
- return new KerbyAcceptCred(caller, name, keyTab, lifeTime);
- }
-
- private KerbyAcceptCred(GSSCaller caller, KerbyNameElement name, KeyTab keyTab, int lifeTime) {
- super(caller, name);
- this.keyTab = keyTab;
- this.accLifeTime = lifeTime;
- }
-
- public boolean isInitiatorCredential() throws GSSException {
- return false;
- }
-
- public boolean isAcceptorCredential() throws GSSException {
- return true;
- }
-
- public KeyTab getKeyTab() {
- return this.keyTab;
- }
-
- public KerberosKey[] getKeys() {
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- return keyTab.getKeys(princ);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
deleted file mode 100644
index 5395afd..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ /dev/null
@@ -1,673 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import com.sun.security.jgss.InquireType;
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
-import org.apache.kerby.kerberos.kerb.request.ApRequest;
-import org.apache.kerby.kerberos.kerb.response.ApResponse;
-import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
-import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
-import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
-import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
-import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
-import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
-import org.ietf.jgss.ChannelBinding;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSContextSpi;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-
-import javax.security.auth.kerberos.KerberosTicket;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.nio.ByteBuffer;
-import java.security.Provider;
-
-@SuppressWarnings("PMD")
-public class KerbyContext implements GSSContextSpi {
-
- private static final int STATE_NONE = 0;
- private static final int STATE_ESTABLISHING = 1;
- private static final int STATE_ESTABLISHED = 2;
- private static final int STATE_DESTROYED = 3;
-
- private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
- private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
-
- private int ctxState = STATE_NONE;
-
- private final GSSCaller caller;
- private KerbyCredElement myCred;
- private boolean initiator;
- private KerbyNameElement myName;
- private KerbyNameElement peerName;
- private int lifeTime;
- private ChannelBinding channelBinding;
-
- private boolean mutualAuth = true;
- private boolean replayDet = true;
- private boolean sequenceDet = true;
- private boolean credDeleg = false;
- private boolean confState = true;
- private boolean integState = true;
- private boolean delegPolicy = false;
-
- public static final int INVALID_KEY = 0;
- public static final int SESSION_KEY = 1;
- public static final int INITIATOR_SUBKEY = 2;
- public static final int ACCEPTOR_SUBKEY = 4;
- private int keyComesFrom = INVALID_KEY;
-
- private EncryptionKey sessionKey; // used between client and app server
- private TicketFlags ticketFlags;
- private ApReq outApReq;
-
- private KerbyGssEncryptor gssEncryptor;
-
- // Called on initiator's side.
- public KerbyContext(GSSCaller caller, KerbyNameElement peerName, KerbyCredElement myCred,
- int lifeTime)
- throws GSSException {
- if (peerName == null) {
- throw new IllegalArgumentException("Cannot have null peer name");
- }
-
- this.caller = caller;
- this.peerName = peerName;
- this.myCred = myCred;
- this.lifeTime = lifeTime;
- this.initiator = true;
-
- mySequenceNumberLock = new Object();
- peerSequenceNumberLock = new Object();
- }
-
- public KerbyContext(GSSCaller caller, KerbyAcceptCred myCred)
- throws GSSException {
- this.caller = caller;
- this.myCred = myCred;
- this.initiator = false;
-
- mySequenceNumberLock = new Object();
- peerSequenceNumberLock = new Object();
- }
-
- public KerbyContext(GSSCaller caller, byte[] interProcessToken)
- throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported feature");
- }
-
- public Provider getProvider() {
- return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
- }
-
- public void requestLifetime(int lifeTime) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- this.lifeTime = lifeTime;
- }
- }
-
- public void requestMutualAuth(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- mutualAuth = state;
- }
- }
-
- public void requestReplayDet(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- replayDet = state;
- }
- }
-
- public void requestSequenceDet(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- replayDet = state;
- }
- }
-
- public void requestCredDeleg(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator() && myCred == null) {
- credDeleg = state;
- }
- }
-
- public void requestAnonymity(boolean state) throws GSSException {
- // anonymous context not supported
- }
-
- public void requestConf(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- confState = state;
- }
- }
-
- public void requestInteg(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- integState = state;
- }
- }
-
- public void requestDelegPolicy(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- delegPolicy = state;
- }
- }
-
- public void setChannelBinding(ChannelBinding cb) throws GSSException {
- this.channelBinding = cb;
- }
-
- public boolean getCredDelegState() {
- return credDeleg;
- }
-
- public boolean getMutualAuthState() {
- return mutualAuth;
- }
-
- public boolean getReplayDetState() {
- return replayDet || sequenceDet;
- }
-
- public boolean getSequenceDetState() {
- return sequenceDet;
- }
-
- public boolean getAnonymityState() {
- return false;
- }
-
- public boolean getDelegPolicyState() {
- return delegPolicy;
- }
-
- public boolean isTransferable() throws GSSException {
- return false;
- }
-
- public boolean isProtReady() {
- return ctxState == STATE_ESTABLISHED;
- }
-
- public boolean isInitiator() {
- return initiator;
- }
-
- public boolean getConfState() {
- return confState;
- }
-
- public boolean getIntegState() {
- return integState;
- }
-
- public int getLifetime() {
- return GSSContext.INDEFINITE_LIFETIME;
- }
-
- public boolean isEstablished() {
- return ctxState == STATE_ESTABLISHED;
- }
-
- public GSSNameSpi getSrcName() throws GSSException {
- return isInitiator() ? myName : peerName;
- }
-
- public GSSNameSpi getTargName() throws GSSException {
- return !isInitiator() ? myName : peerName;
- }
-
- public Oid getMech() throws GSSException {
- return KerbyMechFactory.getOid();
- }
-
- public GSSCredentialSpi getDelegCred() throws GSSException {
- throw new GSSException(GSSException.FAILURE, -1, "API not implemented"); // TODO:
- }
-
- public byte[] initSecContext(InputStream is, int mechTokenSize)
- throws GSSException {
- if (!isInitiator()) {
- throw new GSSException(GSSException.FAILURE, -1, "initSecContext called on acceptor");
- }
-
- byte[] ret = null;
-
- if (ctxState == STATE_NONE) {
-
- if (!myCred.isInitiatorCredential()) {
- throw new GSSException(GSSException.NO_CRED, -1, "No TGT available");
- }
-
- // check if service ticket already exists
- // if not, prepare to get it through TGS_REQ
- SgtTicket sgtTicket = null;
- String serviceName = peerName.getPrincipalName().getName();
- myName = (KerbyNameElement) myCred.getName();
- PrincipalName clientPrincipal = myName.getPrincipalName();
-
- sgtTicket = KerbyUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
-
- if (sgtTicket == null) {
- sgtTicket = KerbyUtil.applySgtCredential(((KerbyInitCred) myCred).ticket, serviceName);
-
- // add this service credential to context
- final KerberosTicket ticket =
- KerbyUtil.convertKrbTicketToKerberosTicket(sgtTicket, myName.getPrincipalName().getName());
- CredUtils.addCredentialToSubject(ticket);
- }
-
- ApRequest apRequest = new ApRequest(clientPrincipal, sgtTicket);
- try {
- outApReq = apRequest.getApReq();
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
- }
- setupInitiatorContext(sgtTicket, apRequest);
- try {
- ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
- outBuffer.put(MSG_AP_REQ);
- outApReq.encode(outBuffer);
- outBuffer.flip();
- ret = outBuffer.array();
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
- }
-
- ctxState = STATE_ESTABLISHING;
- if (!getMutualAuthState()) {
- gssEncryptor = new KerbyGssEncryptor(getSessionKey());
- ctxState = STATE_ESTABLISHED;
- }
-
- } else if (ctxState == STATE_ESTABLISHING) {
- verifyServerToken(is, mechTokenSize);
- gssEncryptor = new KerbyGssEncryptor(getSessionKey());
- outApReq = null;
- ctxState = STATE_ESTABLISHED;
- }
- return ret;
- }
-
- private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException {
- EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart();
- TicketFlags ticketFlags = encKdcRepPart.getFlags();
- setTicketFlags(ticketFlags);
-
- setAuthTime(encKdcRepPart.getAuthTime().toString());
-
- Authenticator auth;
- try {
- auth = apRequest.getApReq().getAuthenticator();
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator");
- }
- setMySequenceNumber(auth.getSeqNumber());
-
- EncryptionKey subKey = auth.getSubKey();
- if (subKey != null) {
- setSessionKey(subKey, KerbyContext.INITIATOR_SUBKEY);
- } else {
- setSessionKey(sgt.getSessionKey(), KerbyContext.SESSION_KEY);
- }
-
- if (!getMutualAuthState()) {
- setPeerSequenceNumber(0);
- }
- }
-
- /**
- * Verify the AP_REP from server and set context accordingly
- * @param is
- * @param mechTokenSize
- * @return
- * @throws GSSException
- * @throws IOException
- */
- private void verifyServerToken(InputStream is, int mechTokenSize)
- throws GSSException {
- byte[] token;
- ApRep apRep;
- try {
- if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
- throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
- }
- token = new byte[mechTokenSize - MSG_AP_REP.length];
- is.read(token);
- apRep = new ApRep();
- apRep.decode(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep " + e.getMessage());
- }
-
- try {
- ApResponse.validate(getSessionKey(), apRep, outApReq);
- } catch (KrbException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApRep verification failed");
- }
-
- EncryptionKey key = apRep.getEncRepPart().getSubkey();
- if (key != null) {
- setSessionKey(key, ACCEPTOR_SUBKEY);
- }
-
- int seqNum = apRep.getEncRepPart().getSeqNumber();
- setPeerSequenceNumber(seqNum == -1 ? 0 : seqNum);
- }
-
- public byte[] acceptSecContext(InputStream is, int mechTokenSize)
- throws GSSException {
- byte[] ret = null;
-
- if (isInitiator()) {
- throw new GSSException(GSSException.FAILURE, -1, "acceptSecContext called on initiator");
- }
-
- if (ctxState == STATE_NONE) {
- ctxState = STATE_ESTABLISHING;
- if (!myCred.isAcceptorCredential()) {
- throw new GSSException(GSSException.FAILURE, -1, "No acceptor credential available");
- }
-
- KerbyAcceptCred acceptCred = (KerbyAcceptCred) myCred;
- CredUtils.checkPrincipalPermission(
- ((KerbyNameElement) acceptCred.getName()).getPrincipalName().getName(), "accept");
-
- if (getMutualAuthState()) {
- ret = verifyClientToken(acceptCred, is, mechTokenSize);
- }
-
- gssEncryptor = new KerbyGssEncryptor(getSessionKey());
-
- myCred = null;
- ctxState = STATE_ESTABLISHED;
- }
-
- return ret;
- }
-
- private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
- throws GSSException {
- byte[] token;
- ApReq apReq;
- try {
- if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
- throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
- }
-
- token = new byte[mechTokenSize - MSG_AP_REQ.length];
- is.read(token);
- apReq = new ApReq();
- apReq.decode(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
- }
-
- int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
- int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
-
- // Get server key from credential
- EncryptionKey serverKey = KerbyUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
- if (serverKey == null) {
- throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
- }
-
- try {
- ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
- } catch (KrbException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
- }
-
- ApResponse apResponse = new ApResponse(apReq);
- ApRep apRep;
- try {
- apRep = apResponse.getApRep();
- } catch (KrbException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "Generate ApRep failed");
- }
-
- EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart();
-
- EncryptionKey ssKey = apReqTicketEncPart.getKey();
- Authenticator auth = apReq.getAuthenticator();
- EncryptionKey subKey = auth.getSubKey();
-
- if (subKey != null) {
- setSessionKey(subKey, INITIATOR_SUBKEY);
- } else {
- setSessionKey(ssKey, SESSION_KEY);
- }
-
- // initial seqNumber
- int seqNumber = auth.getSeqNumber();
- setMySequenceNumber(seqNumber);
- // initial authtime, tktflags, authdata,
- setAuthTime(apReqTicketEncPart.getAuthTime().toString());
- setTicketFlags(apReqTicketEncPart.getFlags());
- setAuthData(apReqTicketEncPart.getAuthorizationData());
-
- byte[] ret = null;
- try {
- ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
- outBuffer.put(MSG_AP_REP);
- apRep.encode(outBuffer);
- outBuffer.flip();
- ret = outBuffer.array();
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
- }
- return ret;
- }
-
- public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
- throws GSSException {
- if (gssEncryptor.isV2()) {
- return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
- } else {
- return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
- }
- }
-
- public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
- throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
- }
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- }
- }
-
- public byte[] wrap(byte[] inBuf, int offset, int len,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
- }
- byte[] ret;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- }
- return ret;
- }
-
- public void unwrap(InputStream is, OutputStream os,
- MessageProp msgProp) throws GSSException {
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
- token.unwrap(os);
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
- token.unwrap(os);
- }
- }
-
- public byte[] unwrap(byte[] inBuf, int offset, int len,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
- }
- byte[] ret;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- }
- return ret;
- }
-
- public void getMIC(InputStream is, OutputStream os,
- MessageProp msgProp)
- throws GSSException {
- }
-
- public byte[] getMIC(byte[] inMsg, int offset, int len,
- MessageProp msgProp) throws GSSException {
- return null; // TODO: to be implemented
- }
-
- public void verifyMIC(InputStream is, InputStream msgStr,
- MessageProp msgProp) throws GSSException {
- }
-
- public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
- byte[] inMsg, int msgOffset, int msgLen,
- MessageProp msgProp) throws GSSException {
- }
-
- public byte[] export() throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
- }
-
- public void dispose() throws GSSException {
- ctxState = STATE_DESTROYED;
- setSessionKey(null, 0);
- peerName = null;
- myCred = null;
- myName = null;
- }
-
-
- private String authTime;
- private void setAuthTime(String authTime) {
- this.authTime = authTime;
- }
-
- public Object inquireSecContext(InquireType type) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Invalid context");
- }
-
- switch (type) {
- case KRB5_GET_SESSION_KEY:
- return getSessionKey();
- case KRB5_GET_TKT_FLAGS:
- return KerbyUtil.ticketFlagsToBooleans(ticketFlags);
- case KRB5_GET_AUTHZ_DATA:
- if (isInitiator()) {
- throw new GSSException(GSSException.UNAVAILABLE, -1,
- "Authorization data not available for initiator");
- } else {
- return KerbyUtil.kerbyAuthorizationDataToJgssAuthorizationDataEntries(authData);
- }
- case KRB5_GET_AUTHTIME:
- return authTime;
- }
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported inquire type");
- }
-
-
- // functions not belong to SPI
- private void setSessionKey(EncryptionKey encryptionKey, int keyComesFrom) {
- this.sessionKey = encryptionKey;
- this.keyComesFrom = keyComesFrom;
- }
-
- public int getKeyComesFrom() {
- return keyComesFrom;
- }
-
- private EncryptionKey getSessionKey() {
- return sessionKey;
- }
-
- private void setTicketFlags(TicketFlags ticketFlags) {
- this.ticketFlags = ticketFlags;
- }
-
- private AuthorizationData authData;
- private void setAuthData(AuthorizationData authData) {
- this.authData = authData;
- }
-
-
- private int mySequenceNumber;
- private int peerSequenceNumber;
- private Object mySequenceNumberLock;
- private Object peerSequenceNumberLock;
-
- public void setMySequenceNumber(int sequenceNumber) {
- synchronized (mySequenceNumberLock) {
- mySequenceNumber = sequenceNumber;
- }
- }
-
- public int incMySequenceNumber() {
- synchronized (mySequenceNumberLock) {
- return mySequenceNumber++;
- }
- }
-
- public void setPeerSequenceNumber(int sequenceNumber) {
- synchronized (peerSequenceNumberLock) {
- peerSequenceNumber = sequenceNumber;
- }
- }
-
- public int incPeerSequenceNumber() {
- synchronized (peerSequenceNumberLock) {
- return peerSequenceNumber++;
- }
- }
-
- public KerbyGssEncryptor getGssEncryptor() {
- return gssEncryptor;
- }
-}
[17/18] directory-kerby git commit: Avoiding some NPEs
Posted by co...@apache.org.
Avoiding some NPEs
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/6bf7ddbc
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/6bf7ddbc
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/6bf7ddbc
Branch: refs/heads/trunk
Commit: 6bf7ddbcd4d31381fb1dff98eb6a2263ace94a65
Parents: 1e30df4
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 15:45:10 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 15:45:10 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/gss/impl/GssUtil.java | 27 ++++++++++++--------
1 file changed, 16 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/6bf7ddbc/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
index 372abcb..6b55ea9 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -261,21 +261,26 @@ public class GssUtil {
boolean[] flags = ticketFlagsToBooleans(ticketFlags);
Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
- Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
+ Date startTime = null;
+ if (encKdcRepPart.getStartTime() != null) {
+ startTime = new Date(encKdcRepPart.getStartTime().getTime());
+ }
Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
InetAddress[] clientAddresses = null;
- List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
- if (hostAddresses != null) {
- int i = 0;
- clientAddresses = new InetAddress[hostAddresses.size()];
- for (HostAddress hostAddr : hostAddresses) {
- try {
- InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
- clientAddresses[i++] = iAddr;
- } catch (UnknownHostException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
+ if (encKdcRepPart.getCaddr() != null) {
+ List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
+ if (hostAddresses != null) {
+ int i = 0;
+ clientAddresses = new InetAddress[hostAddresses.size()];
+ for (HostAddress hostAddr : hostAddresses) {
+ try {
+ InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
+ clientAddresses[i++] = iAddr;
+ } catch (UnknownHostException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
+ }
}
}
}
[06/18] directory-kerby git commit: DIRKRB-566 - Implement Gss tokens
defined in RFC 1964. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-566 - Implement Gss tokens defined in RFC 1964. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8618caeb
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8618caeb
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8618caeb
Branch: refs/heads/trunk
Commit: 8618caeb7ac2a3a87c6576bf7be0eaacf11fb736
Parents: 33b0a72
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:54:19 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:54:19 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/CredUtils.java | 8 +-
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 42 ++-
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 300 +++++++++++++++--
.../kerb/gssapi/krb5/KerbyGssTokenV1.java | 319 +++++++++++++++++++
.../kerberos/kerb/gssapi/krb5/MicTokenV1.java | 92 ++++++
.../kerberos/kerb/gssapi/krb5/WrapTokenV1.java | 196 ++++++++++++
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 9 +-
7 files changed, 929 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
index 6d066db..f7ddc31 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
@@ -4,10 +4,7 @@ import org.ietf.jgss.GSSException;
import sun.security.jgss.GSSCaller;
import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.kerberos.KeyTab;
-import javax.security.auth.kerberos.ServicePermission;
+import javax.security.auth.kerberos.*;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedActionException;
@@ -55,7 +52,8 @@ public class CredUtils {
public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
for (KeyTab tab : tabs) {
- if (tab.getPrincipal().equals(principal)) {
+ KerberosKey[] keys = tab.getKeys(principal);
+ if (keys != null && keys.length > 0) {
return tab;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index b450cc9..eba2a26 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -468,7 +468,11 @@ public class KerbyContext implements GSSContextSpi {
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
throws GSSException {
- return 65536; // TODO: to be implemented
+ if (gssEncryptor.isV2()) {
+ return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ } else {
+ return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ }
}
public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
@@ -476,7 +480,13 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ }
}
public byte[] wrap(byte[] inBuf, int offset, int len,
@@ -484,12 +494,26 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- return null; // TODO: to be implemented
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ }
+ return ret;
}
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
+ token.unwrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
+ token.unwrap(os);
+ }
}
public byte[] unwrap(byte[] inBuf, int offset, int len,
@@ -497,7 +521,15 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
- return null; // TODO: to be implemented
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ }
+ return ret;
}
public void getMIC(InputStream is, OutputStream os,
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
index d65346b..9aff63e 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
@@ -25,29 +25,66 @@ import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.ietf.jgss.GSSException;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
/**
* This class implements encryption related function used in GSS tokens
*/
public class KerbyGssEncryptor {
- private EncryptionKey encKey;
+ private final EncryptionKey encKey;
+ private final EncryptionType encKeyType; // The following two variables used for convenience
+ private final byte[] encKeyBytes;
+
+ private CheckSumType checkSumTypeDef;
+ private int checkSumSize;
+
private boolean isV2 = false;
+ private int sgnAlg = 0xFFFF;
+ private int sealAlg = 0xFFFF;
+ private boolean isArcFourHmac = false;
+
+ private static final byte[] IV_ZEROR_8B = new byte[8];
public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
encKey = key;
- EncryptionType keyType = key.getKeyType();
- // TODO: add support for other algorithms
- if (keyType == EncryptionType.AES128_CTS_HMAC_SHA1_96
- || keyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ encKeyBytes = encKey.getKeyData();
+ encKeyType = key.getKeyType();
+
+ if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
isV2 = true;
+ } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
+ isV2 = true;
+ } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
+ sgnAlg = KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5;
+ sealAlg = KerbyGssTokenV1.SEAL_ALG_DES;
+ checkSumSize = 8;
+ } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
+ sgnAlg = KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
+ sealAlg = KerbyGssTokenV1.SEAL_ALG_DES3_KD;
+ checkSumSize = 20;
+ } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
+ sgnAlg = KerbyGssTokenV1.SGN_ALG_RC4_HMAC;
+ sealAlg = KerbyGssTokenV1.SEAL_ALG_RC4_HMAC;
+ checkSumSize = 16;
+ isArcFourHmac = true;
} else {
throw new GSSException(GSSException.FAILURE, -1,
- "Invalid encryption type: " + key.getKeyType().getDisplayName());
+ "Invalid encryption type: " + encKeyType.getDisplayName());
}
}
@@ -59,6 +96,18 @@ public class KerbyGssEncryptor {
return isV2;
}
+ public int getSgnAlg() {
+ return sgnAlg;
+ }
+
+ public int getSealAlg() {
+ return sealAlg;
+ }
+
+ public boolean isArcFourHmac() {
+ return isArcFourHmac;
+ }
+
public byte[] encryptData(byte[] tokenHeader, byte[] data,
int offset, int len, int keyUsage) throws GSSException {
byte[] ret;
@@ -102,37 +151,238 @@ public class KerbyGssEncryptor {
}
try {
- return getCheckSumHandler().checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
+ .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation:" + encKey.getKeyType().getName());
+ "Exception in checksum calculation:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return checkSumSize;
+ }
+
+
+ private void addPadding(int paddingLen, byte[] outBuf, int offset) {
+ for (int i = 0; i < paddingLen; i++) {
+ outBuf[offset + i] = (byte) paddingLen;
+ }
+ }
+
+ private byte[] getFirstBytes(byte[] src, int len) {
+ if (len < src.length) {
+ byte[] ret = new byte[len];
+ System.arraycopy(src, 0, ret, 0, len);
+ return ret;
}
+ return src;
}
- private CheckSumTypeHandler getCheckSumHandler() throws GSSException {
- CheckSumType checkSumType;
- if (encKey.getKeyType() == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
- checkSumType = CheckSumType.HMAC_SHA1_96_AES128;
- } else if (encKey.getKeyType() == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
- checkSumType = CheckSumType.HMAC_SHA1_96_AES256;
+ private byte[] getKeyBytesWithLength(int len) {
+ return getFirstBytes(encKeyBytes, len);
+ }
+
+ public byte[] calculateCheckSum(byte[] confounder, byte[] header,
+ byte[] data, int offset, int len, int paddingLen, boolean isMic)
+ throws GSSException {
+ byte[] ret;
+ int keyUsage = KerbyGssTokenV1.KG_USAGE_SIGN;
+ CheckSumTypeHandler handler;
+
+ int keySize;
+ byte[] key;
+ byte[] toProc;
+ int toOffset;
+ int toLen = (confounder == null ? 0 : confounder.length)
+ + (header == null ? 0 : header.length) + len + paddingLen;
+ if (toLen == len) {
+ toProc = data;
+ toOffset = offset;
} else {
+ toOffset = 0;
+ int idx = 0;
+ toProc = new byte[toLen];
+
+ if (header != null) {
+ System.arraycopy(header, 0, toProc, idx, header.length);
+ idx += header.length;
+ }
+
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, idx, confounder.length);
+ idx += confounder.length;
+ }
+
+ System.arraycopy(data, offset, toProc, idx, len);
+ addPadding(paddingLen, toProc, len + idx);
+ }
+
+ CheckSumType chksumType;
+ try {
+ switch (sgnAlg) {
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
+ Md5Provider md5Provider = new Md5Provider();
+ md5Provider.hash(toProc);
+ toProc = md5Provider.output();
+
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
+
+ case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
+ break;
+ case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
+ chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
+ if (isMic) {
+ keyUsage = KerbyGssTokenV1.KG_USAGE_MS_SIGN;
+ }
+ break;
+ case KerbyGssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
+ }
+ handler = CheckSumHandler.getCheckSumHandler(chksumType);
+ keySize = handler.keySize();
+ key = getKeyBytesWithLength(keySize);
+ ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
+ } catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Unsupported checksum encryption type:" + encKey.getKeyType().getName());
+ "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
}
+ return ret;
+ }
+
+ public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
+ throws GSSException {
+ EncTypeHandler handler;
try {
- return CheckSumHandler.getCheckSumHandler(checkSumType);
+ switch (sgnAlg) {
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ byte[] data = seqBytes.clone();
+ if (encrypt) {
+ desProvider.encrypt(encKeyBytes, ivSrc, data);
+ } else {
+ desProvider.decrypt(encKeyBytes, ivSrc, data);
+ }
+ return data;
+ case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
+ return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
+ case KerbyGssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
+ }
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ int ivLen = handler.encProvider().blockSize();
+ byte[] iv = getFirstBytes(ivSrc, ivLen);
+ if (encrypt) {
+ return handler.encryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
+ } else {
+ return handler.decryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
+ }
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Unsupported checksum type:" + checkSumType.getName());
+ "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
}
}
- /**
- * Get the size of the corresponding checksum algorithm
- * @return
- * @throws GSSException
- */
- public int getCheckSumSize() throws GSSException {
- return getCheckSumHandler().cksumSize();
+ private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
+ try {
+ SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
+ Mac mac = Mac.getInstance("HmacMD5");
+ mac.init(secretKey);
+ return mac.doFinal(salt);
+ } catch (Exception e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
+ throws GSSException {
+ byte[] sk1 = getHmacMd5(key, new byte[4]);
+ byte[] sk2 = getHmacMd5(sk1, iv);
+ Rc4Provider provider = new Rc4Provider();
+ try {
+ byte[] ret = data.clone();
+ if (encrypt) {
+ provider.encrypt(sk2, ret);
+ } else {
+ provider.decrypt(sk2, ret);
+ }
+ return ret;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
+ byte[] dataKey = new byte[key.length];
+ for (int i = 0; i <= 15; i++) {
+ dataKey[i] = (byte) (key[i] ^ 0xF0);
+ }
+ return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
+ }
+
+ public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
+ int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
+ byte[] toProc;
+ if (encrypt) {
+ int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
+ int index = 0;
+ toProc = new byte[toLen];
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, 0, confounder.length);
+ index += confounder.length;
+ }
+ System.arraycopy(data, offset, toProc, index, len);
+ addPadding(paddingLen, toProc, index + len);
+ } else {
+ toProc = data;
+ if (data.length != len) {
+ toProc = new byte[len];
+ System.arraycopy(data, offset, toProc, 0, len);
+ }
+ }
+ EncTypeHandler handler;
+ try {
+ switch (sealAlg) {
+ case KerbyGssTokenV1.SEAL_ALG_DES:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
+ break;
+ case KerbyGssTokenV1.SEAL_ALG_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case KerbyGssTokenV1.SEAL_ALG_RC4_HMAC:
+ return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
+ }
+
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ if (encrypt) {
+ return handler.encryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
+ } else {
+ return handler.decryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
+ }
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
+ }
}
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
new file mode 100644
index 0000000..6b1a2c7
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
@@ -0,0 +1,319 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 1964 and its updates
+ *
+ * The GSS Wrap token has the following format:
+ *
+ * Byte no Name Description
+ * 0..1 TOK_ID 0201
+ *
+ * 2..3 SGN_ALG Checksum algorithm indicator.
+ * 00 00 DES MAC MD5
+ * 01 00 MD2.5
+ * 02 00 DES MAC
+ * 04 00 HMAC SHA1 DES3-KD
+ * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
+ * 4..5 SEAL_ALG ff ff none
+ * 00 00 DES
+ * 02 00 DES3-KD
+ * 10 00 RC4-HMAC
+ * 6..7 Filler FF FF
+ * 8..15 SND_SEQ Encrypted sequence number field.
+ * 16..23 SNG_CKSUM Checksum of plaintext padded data,
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ * 24.. Data Encrypted or plaintext padded data
+ *
+ *
+ *
+ * Use of the GSS MIC token has the following format:
+
+ * Byte no Name Description
+ * 0..1 TOK_ID 0101
+ * 2..3 SGN_ALG Integrity algorithm indicator.
+ * 4..7 Filler Contains ff ff ff ff
+ * 8..15 SND_SEQ Sequence number field.
+ * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ *
+ */
+abstract class KerbyGssTokenV1 extends KerbyGssTokenBase {
+ // SGN ALG
+ public static final int SGN_ALG_DES_MAC_MD5 = 0;
+ public static final int SGN_ALG_MD25 = 0x0100;
+ public static final int SGN_ALG_DES_MAC = 0x0200;
+ public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
+ public static final int SGN_ALG_RC4_HMAC = 0x1100;
+
+ // SEAL ALG
+ public static final int SEAL_ALG_NONE = 0xFFFF;
+ public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
+ public static final int SEAL_ALG_DES3_KD = 0x0200;
+ public static final int SEAL_ALG_RC4_HMAC = 0x1000;
+
+ public static final int KG_USAGE_SEAL = 22;
+ public static final int KG_USAGE_SIGN = 23;
+ public static final int KG_USAGE_SEQ = 24;
+ public static final int KG_USAGE_MS_SIGN = 15;
+
+ private boolean isInitiator;
+ private boolean confState;
+ private int sequenceNumber;
+
+ protected KerbyGssEncryptor encryptor;
+
+ private GSSHeader gssHeader;
+
+ public static final int TOKEN_HEADER_COMM_SIZE = 8;
+ public static final int TOKEN_HEADER_SEQ_SIZE = 8;
+
+ // Token commHeader data
+ private int tokenType;
+ private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
+ private int sgnAlg;
+ private int sealAlg;
+
+ private byte[] plainSequenceBytes;
+ private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
+ private byte[] checkSum;
+ private int checkSumSize;
+
+ protected int reconHeaderLen; // only used for certain reason
+
+ public static ObjectIdentifier objId;
+
+ static {
+ try {
+ objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
+ } catch (IOException ioe) { // NOPMD
+ }
+ }
+
+ protected int getTokenHeaderSize() {
+ return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
+ }
+
+ protected byte[] getPlainSequenceBytes() {
+ byte[] ret = new byte[4];
+ ret[0] = plainSequenceBytes[0];
+ ret[1] = plainSequenceBytes[1];
+ ret[2] = plainSequenceBytes[2];
+ ret[3] = plainSequenceBytes[3];
+ return ret;
+ }
+
+ // Generate a new token
+ KerbyGssTokenV1(int tokenType, KerbyContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ createTokenHeader();
+ }
+
+ // Reconstruct a token
+ KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop,
+ byte[] token, int offset, int size) throws GSSException {
+ int proxLen = size > 64 ? 64 : size;
+ InputStream is = new ByteArrayInputStream(token, offset, proxLen);
+ reconstructInitializaion(tokenType, context, prop, is);
+ reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
+ }
+
+ // Reconstruct a token
+ KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
+ reconstructInitializaion(tokenType, context, prop, is);
+ }
+
+ private void reconstructInitializaion(int tokenType, KerbyContext context, MessageProp prop, InputStream is)
+ throws GSSException {
+ initialize(tokenType, context, true);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ try {
+ gssHeader = new GSSHeader(is);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
+ }
+
+ if (!gssHeader.getOid().equals((Object) objId)) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
+ }
+
+ reconstructTokenHeader(is, prop);
+ }
+
+ private void initialize(int tokenType,
+ KerbyContext context,
+ boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.confState = context.getConfState();
+ this.encryptor = context.getGssEncryptor();
+ this.checkSumSize = encryptor.getCheckSumSize();
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ } else {
+ checkSum = new byte[checkSumSize];
+ }
+ }
+
+ protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ prop.setQOP(0);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ encryptSequenceNumber();
+ }
+
+ protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
+ throws GSSException {
+ byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ if (!MessageDigest.isEqual(checkSum, sum)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ }
+
+ private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
+ tokenType == TOKEN_MIC_V1);
+ }
+
+ private void encryptSequenceNumber() throws GSSException {
+ plainSequenceBytes = new byte[8];
+ if (encryptor.isArcFourHmac()) {
+ writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
+ } else {
+ plainSequenceBytes[0] = (byte) sequenceNumber;
+ plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
+ plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
+ plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
+ }
+
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!isInitiator) {
+ plainSequenceBytes[4] = (byte) 0xFF;
+ plainSequenceBytes[5] = (byte) 0xFF;
+ plainSequenceBytes[6] = (byte) 0xFF;
+ plainSequenceBytes[7] = (byte) 0xFF;
+ }
+
+ encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
+ }
+
+ public void encodeHeader(OutputStream os) throws GSSException, IOException {
+ // | GSSHeader | TokenHeader |
+ GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
+ gssHeader.encode(os);
+ os.write(commHeader);
+ os.write(encryptedSequenceNumber);
+ os.write(checkSum);
+ }
+
+ private void createTokenHeader() {
+ commHeader[0] = (byte) (tokenType >>> 8);
+ commHeader[1] = (byte) tokenType;
+
+ sgnAlg = encryptor.getSgnAlg();
+ commHeader[2] = (byte) (sgnAlg >>> 8);
+ commHeader[3] = (byte) sgnAlg;
+
+ if (tokenType == TOKEN_WRAP_V1) {
+ sealAlg = encryptor.getSealAlg();
+ commHeader[4] = (byte) (sealAlg >>> 8);
+ commHeader[5] = (byte) sealAlg;
+ } else {
+ commHeader[4] = (byte) 0xFF;
+ commHeader[5] = (byte) 0xFF;
+ }
+
+ commHeader[6] = (byte) 0xFF;
+ commHeader[7] = (byte) 0xFF;
+ }
+
+ // Re-construct token commHeader
+ private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
+ try {
+ if (is.read(commHeader) != commHeader.length
+ || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
+ || is.read(checkSum) != checkSum.length) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Insufficient in reconstruct token header");
+ }
+ initTokenHeader(commHeader, prop);
+
+ plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
+ byte dirc = isInitiator ? (byte) 0xFF : 0;
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
+ && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in reconstruct token header:" + e.getMessage());
+ }
+ }
+
+ private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
+ int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
+ if (tokenType != tokenIDRecv) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
+ sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
+
+ if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
+ }
+
+ prop.setQOP(0);
+ prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
+ }
+
+ protected GSSHeader getGssHeader() {
+ return gssHeader;
+ }
+
+ abstract int getTokenSizeWithoutGssHeader();
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
new file mode 100644
index 0000000..6a76e4c
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class MicTokenV1 extends KerbyGssTokenV1 {
+ public MicTokenV1(KerbyContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V1, context);
+ calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV1(KerbyContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
+ }
+
+ public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
+ byte[] data = getMic();
+ System.arraycopy(data, 0, outToken, offset, data.length);
+ return data.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(64);
+ getMic(os);
+ return os.toByteArray();
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
+ }
+ }
+
+ public void verify(InputStream is) throws GSSException {
+ byte[] data;
+ try {
+ data = new byte[is.available()];
+ is.read(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Read plain data for MicTokenV1 error:" + e.getMessage());
+ }
+ verify(data, 0, data.length);
+ }
+
+ public void verify(byte[] data, int offset, int len) throws GSSException {
+ verifyToken(null, data, offset, len, 0);
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return getTokenHeaderSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
new file mode 100644
index 0000000..8ecdae4
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.apache.kerby.kerberos.kerb.crypto.util.Random;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class WrapTokenV1 extends KerbyGssTokenV1 {
+ public static final int CONFOUNDER_SIZE = 8;
+
+ private boolean privacy;
+
+ private byte[] inData;
+ private int inOffset;
+ private int inLen;
+
+ private int paddingLen;
+ private byte[] confounder;
+ private int tokenBodyLen;
+
+ private byte[] bodyData;
+ private int bodyOffset;
+ private int bodyLen;
+
+ // for reconstruct
+ private int rawDataLength;
+ private byte[] rawData;
+ private int rawDataOffset;
+
+
+ // Generate wrap token according user data
+ public WrapTokenV1(KerbyContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp prop) throws GSSException {
+ super(TOKEN_WRAP_V1, context);
+
+ paddingLen = getPaddingLength(msgLength);
+ confounder = Random.makeBytes(CONFOUNDER_SIZE);
+ tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
+
+ calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+ privacy = prop.getPrivacy();
+ inData = inMsg;
+ inOffset = msgOffset;
+ inLen = msgLength;
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV1(KerbyContext context, MessageProp prop,
+ byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, token, offset, len);
+ // adjust the offset to the beginning of the body
+ bodyData = token;
+ bodyOffset = offset + reconHeaderLen;
+ bodyLen = len - reconHeaderLen;
+ getRawData(prop);
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV1(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, is);
+ byte[] token;
+ int len;
+ try {
+ len = is.available();
+ token = new byte[len];
+ is.read(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
+ }
+ bodyData = token;
+ bodyOffset = 0;
+ bodyLen = len;
+ getRawData(prop);
+ }
+
+ private void getRawData(MessageProp prop) throws GSSException {
+ privacy = prop.getPrivacy();
+ tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
+
+ if (bodyLen < tokenBodyLen) {
+ throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
+ }
+
+ if (privacy) {
+ rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
+ paddingLen = rawData[rawData.length - 1];
+ rawDataOffset = CONFOUNDER_SIZE;
+ } else {
+ rawData = bodyData;
+ paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
+ rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
+ }
+ rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
+
+ verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
+ }
+
+ // Get plain text data from token data bytes
+ public byte[] unwrap() throws GSSException {
+ byte[] ret = new byte[rawDataLength];
+ System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
+ return ret;
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ try {
+ os.write(rawData, rawDataOffset, rawDataLength);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in output wrap token v1 data bytes:" + e.getMessage());
+ }
+ }
+
+ public byte[] wrap() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
+ wrap(os);
+ return os.toByteArray();
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ if (privacy) {
+ byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
+ os.write(enc);
+ } else {
+ os.write(confounder);
+ os.write(inData, inOffset, inLen);
+ os.write(getPaddingBytes(paddingLen));
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
+ }
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return tokenBodyLen + getTokenHeaderSize();
+ }
+
+ private int getPaddingLength(int dataLen) {
+ if (encryptor.isArcFourHmac()) {
+ return 1;
+ }
+ return 8 - (dataLen % 8);
+ }
+
+ private byte[] getPaddingBytes(int len) {
+ byte[] ret = new byte[len];
+ int i = 0;
+ while (i < len) {
+ ret[i++] = (byte) len;
+ }
+ return ret;
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
+ throws GSSException {
+ return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
+ - encryptor.getCheckSumSize()
+ - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
+ - CONFOUNDER_SIZE - 8;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8618caeb/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
index 6d78304..3b2f1a0 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
@@ -148,7 +148,12 @@ public class WrapTokenV2 extends KerbyGssTokenV2 {
}
}
- static int getSizeLimit(int qop, boolean confReq, int maxTokSize) {
- return maxTokSize; // TODO: to be implemented
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
+ throws GSSException {
+ if (confReq) {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
+ } else {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
+ }
}
}
[11/18] directory-kerby git commit: Refactoring the package and
structure
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
deleted file mode 100644
index 3b2f1a0..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
+++ /dev/null
@@ -1,159 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.Message;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-
-public class WrapTokenV2 extends KerbyGssTokenV2 {
- private MessageProp prop;
-
- // Generate a token from user input data
- WrapTokenV2(KerbyContext context,
- byte[] data,
- int dataOffset,
- int dataLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_WRAP_V2, context);
-
- prop = messageProp;
-
- if (prop.getQOP() != 0) {
- prop.setQOP(0);
- }
-
- if (!context.getConfState()) {
- prop.setPrivacy(false);
- }
-
- generateCheckSum(prop, data, dataOffset, dataLength);
-
- if (prop.getPrivacy()) {
- byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
- System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
- encodeHeader(toProcess, dataLength);
-
- tokenData = encryptor.encryptData(toProcess, getKeyUsage());
- } else {
- tokenData = data; // keep it for now
- }
- }
-
- /**
- * Get bytes of the token
- * @return
- */
- public byte[] wrap() {
- int dataSize = tokenData.length;
- int ckSize = checkSum == null ? 0 : checkSum.length;
- byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
- encodeHeader(ret, 0);
- System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
- if (ckSize > 0) {
- System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
- }
- return ret;
- }
-
- public void wrap(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- os.write(tokenData);
- int ckSize = checkSum == null ? 0 : checkSum.length;
- if (ckSize > 0) {
- os.write(checkSum);
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
- }
- }
-
- // Reconstruct a token from token bytes
- public WrapTokenV2(KerbyContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
- super(TOKEN_WRAP_V2, context, prop, token, offset, len);
- this.prop = prop;
- }
-
- // Reconstruct a token from token bytes stream
- public WrapTokenV2(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- super(TOKEN_WRAP_V2, context, prop, is);
- this.prop = prop;
- }
-
- /**
- * Get plain text data from token bytes
- * @param outBuffer
- * @param offset
- * @return plain text contained in the wrap token
- * @throws GSSException
- */
- public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
- int lenToCopy;
- if (prop.getPrivacy()) {
- byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
- lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
- if (outBuffer == null) {
- outBuffer = new byte[lenToCopy];
- offset = 0;
- }
- System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
- } else {
- lenToCopy = tokenData.length - encryptor.getCheckSumSize();
- if (outBuffer == null) {
- outBuffer = new byte[lenToCopy];
- offset = 0;
- }
- System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
-
- if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
- throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
- }
- }
- return outBuffer;
- }
-
- public byte[] unwrap() throws GSSException {
- return unwrap(null, 0);
- }
-
- public void unwrap(OutputStream os) throws GSSException {
- byte[] data = unwrap();
- try {
- os.write(data);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
- }
- }
-
- public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
- throws GSSException {
- if (confReq) {
- return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
- } else {
- return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
- }
- }
-}
[14/18] directory-kerby git commit: Refactoring the package and
structure
Posted by co...@apache.org.
Refactoring the package and structure
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/976b16cf
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/976b16cf
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/976b16cf
Branch: refs/heads/trunk
Commit: 976b16cfc1f0caa16e1645b605d011a976f96418
Parents: 2bc1ac7
Author: Drankye <dr...@gmail.com>
Authored: Fri Jul 1 17:08:14 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:59:37 2017 +0100
----------------------------------------------------------------------
.../kerb/integration/test/KerbyGssAppTest.java | 3 +-
.../kerby/kerberos/kerb/gss/GssMechFactory.java | 149 ++++
.../kerberos/kerb/gss/KerbyGssProvider.java | 46 ++
.../kerby/kerberos/kerb/gss/impl/CredUtils.java | 89 +++
.../kerberos/kerb/gss/impl/GssAcceptCred.java | 72 ++
.../kerberos/kerb/gss/impl/GssContext.java | 674 +++++++++++++++++++
.../kerberos/kerb/gss/impl/GssCredElement.java | 81 +++
.../kerberos/kerb/gss/impl/GssEncryptor.java | 388 +++++++++++
.../kerberos/kerb/gss/impl/GssInitCred.java | 53 ++
.../kerberos/kerb/gss/impl/GssNameElement.java | 135 ++++
.../kerberos/kerb/gss/impl/GssTokenBase.java | 59 ++
.../kerberos/kerb/gss/impl/GssTokenV1.java | 319 +++++++++
.../kerberos/kerb/gss/impl/GssTokenV2.java | 282 ++++++++
.../kerby/kerberos/kerb/gss/impl/GssUtil.java | 386 +++++++++++
.../kerberos/kerb/gss/impl/MicTokenV1.java | 92 +++
.../kerberos/kerb/gss/impl/MicTokenV2.java | 94 +++
.../kerberos/kerb/gss/impl/WrapTokenV1.java | 196 ++++++
.../kerberos/kerb/gss/impl/WrapTokenV2.java | 159 +++++
.../kerberos/kerb/gssapi/KerbyMechFactory.java | 149 ----
.../kerby/kerberos/kerb/gssapi/Provider.java | 46 --
.../kerberos/kerb/gssapi/krb5/CredUtils.java | 89 ---
.../kerb/gssapi/krb5/KerbyAcceptCred.java | 72 --
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 673 ------------------
.../kerb/gssapi/krb5/KerbyCredElement.java | 80 ---
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 388 -----------
.../kerb/gssapi/krb5/KerbyGssTokenBase.java | 59 --
.../kerb/gssapi/krb5/KerbyGssTokenV1.java | 319 ---------
.../kerb/gssapi/krb5/KerbyGssTokenV2.java | 282 --------
.../kerb/gssapi/krb5/KerbyInitCred.java | 53 --
.../kerb/gssapi/krb5/KerbyNameElement.java | 134 ----
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 386 -----------
.../kerberos/kerb/gssapi/krb5/MicTokenV1.java | 92 ---
.../kerberos/kerb/gssapi/krb5/MicTokenV2.java | 94 ---
.../kerberos/kerb/gssapi/krb5/WrapTokenV1.java | 196 ------
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 159 -----
35 files changed, 3276 insertions(+), 3272 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
index d9030df..fbb3f3f 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
@@ -19,6 +19,7 @@
*/
package org.apache.kerby.kerberos.kerb.integration.test;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
import org.junit.Before;
import org.junit.Test;
@@ -29,7 +30,7 @@ public class KerbyGssAppTest extends GssAppTest {
@Before
@Override
public void setUp() throws Exception {
- Provider provider = new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ Provider provider = new KerbyGssProvider();
java.security.Security.insertProviderAt(provider, 1);
super.setUp();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java
new file mode 100644
index 0000000..735368b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss;
+
+import org.apache.kerby.kerberos.kerb.gss.impl.GssAcceptCred;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssContext;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssCredElement;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssInitCred;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssNameElement;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+import sun.security.jgss.spi.MechanismFactory;
+
+import java.security.Provider;
+
+/**
+ * Kerby Kerberos V5 plugin for JGSS
+ */
+public class GssMechFactory implements MechanismFactory {
+ private static final Provider PROVIDER =
+ new KerbyGssProvider();
+
+ private static final String KRB5_OID_STRING = "1.2.840.113554.1.2.2";
+ private static final Oid KRB5_OID = createOid(KRB5_OID_STRING);
+
+ private static Oid[] nameTypes =
+ new Oid[] {
+ GSSName.NT_USER_NAME,
+ GSSName.NT_EXPORT_NAME,
+ GSSName.NT_HOSTBASED_SERVICE
+ };
+
+ private final GSSCaller caller;
+
+ public Oid getMechanismOid() {
+ return KRB5_OID;
+ }
+
+ public Provider getProvider() {
+ return PROVIDER;
+ }
+
+ public Oid[] getNameTypes() throws GSSException {
+ return nameTypes;
+ }
+
+ public GssMechFactory(GSSCaller caller) {
+ this.caller = caller;
+ }
+
+ public GSSNameSpi getNameElement(String nameStr, Oid nameType)
+ throws GSSException {
+ return GssNameElement.getInstance(nameStr, nameType);
+ }
+
+ public GSSNameSpi getNameElement(byte[] name, Oid nameType)
+ throws GSSException {
+ return GssNameElement.getInstance(name.toString(), nameType);
+ }
+
+ // Used by initiator
+ public GSSContextSpi getMechanismContext(GSSNameSpi peer,
+ GSSCredentialSpi myInitiatorCred,
+ int lifetime) throws GSSException {
+ if (peer != null && !(peer instanceof GssNameElement)) {
+ peer = GssNameElement.getInstance(peer.toString(), peer.getStringNameType());
+ }
+ if (myInitiatorCred == null) {
+ myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
+ }
+ return new GssContext(caller, (GssNameElement) peer, (GssInitCred) myInitiatorCred, lifetime);
+ }
+
+ public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
+ throws GSSException {
+ if (myAcceptorCred == null) {
+ myAcceptorCred = getCredentialElement(null, 0,
+ GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
+ }
+ return new GssContext(caller, (GssAcceptCred) myAcceptorCred);
+ }
+
+ // Reconstruct from previously exported context
+ public GSSContextSpi getMechanismContext(byte[] exportedContext)
+ throws GSSException {
+ return new GssContext(caller, exportedContext);
+ }
+
+ public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
+ int initLifetime,
+ int acceptLifetime,
+ int usage)
+ throws GSSException {
+ if (name != null && !(name instanceof GssNameElement)) {
+ name = GssNameElement.getInstance(name.toString(), name.getStringNameType());
+ }
+
+ GssCredElement credElement;
+
+ if (usage == GSSCredential.INITIATE_ONLY) {
+ credElement = GssInitCred.getInstance(caller, (GssNameElement) name, initLifetime);
+ } else if (usage == GSSCredential.ACCEPT_ONLY) {
+ credElement = GssAcceptCred.getInstance(caller, (GssNameElement) name, acceptLifetime);
+ } else if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
+ throw new GSSException(GSSException.FAILURE, -1, "Unsupported usage mode: INITIATE_AND_ACCEPT");
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown usage mode: " + usage);
+ }
+
+ return credElement;
+ }
+
+ private static Oid createOid(String oidStr) {
+ Oid retVal;
+ try {
+ retVal = new Oid(oidStr);
+ } catch (GSSException e) {
+ retVal = null;
+ }
+ return retVal;
+ }
+
+ public static Oid getOid() {
+ return KRB5_OID;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java
new file mode 100644
index 0000000..83c5404
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Proivder is used to register the implementation of gssapi mechanism into the system
+ */
+public final class KerbyGssProvider extends java.security.Provider {
+ private static final long serialVersionUID = 3787378212107821987L;
+ private static final String INFO = "Kerby Gssapi Provider";
+ private static final String MECHANISM_GSSAPI = "GssApiMechanism.1.2.840.113554.1.2.2";
+ private static final String MECHANISM_GSSAPI_CLASS = "org.apache.kerby.kerberos.kerb.gss.GssMechFactory";
+
+ public KerbyGssProvider() {
+ super("KerbyGssApi", 0.01d, INFO);
+
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+
+ put(MECHANISM_GSSAPI, MECHANISM_GSSAPI_CLASS);
+
+ return null;
+ }
+ });
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
new file mode 100644
index 0000000..fdcb046
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
@@ -0,0 +1,89 @@
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.*;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+/**
+ * Utility functions to deal with credentials in Context
+ */
+public class CredUtils {
+
+ public static <T> Set<T> getContextPrivateCredentials(Class<T> credentialType, AccessControlContext acc) {
+ Subject subject = Subject.getSubject(acc);
+ Set<T> creds = subject.getPrivateCredentials(credentialType);
+ return creds;
+ }
+
+ public static <T> Set<T> getContextCredentials(final Class<T> credentialType) throws GSSException {
+ final AccessControlContext acc = AccessController.getContext();
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Set<T>>() {
+ public Set<T> run() throws Exception {
+ return CredUtils.getContextPrivateCredentials(credentialType, acc);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ throw new GSSException(GSSException.NO_CRED, -1, "Get credential from context failed");
+ }
+ }
+
+ public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
+ final String clientName,
+ final String serverName) throws GSSException {
+ Set<KerberosTicket> tickets = getContextCredentials(KerberosTicket.class);
+ for (KerberosTicket ticket : tickets) {
+ if (ticket.isCurrent() && (serverName == null || ticket.getServer().getName().equals(serverName))
+ && (clientName == null || ticket.getClient().getName().equals(clientName))) {
+ return ticket;
+ }
+ }
+ return null;
+ }
+
+ public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
+ Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
+ for (KeyTab tab : tabs) {
+ KerberosKey[] keys = tab.getKeys(principal);
+ if (keys != null && keys.length > 0) {
+ return tab;
+ }
+ }
+ return null;
+ }
+
+ public static void addCredentialToSubject(final KerberosTicket ticket) throws GSSException {
+ final AccessControlContext acc = AccessController.getContext();
+
+ final Subject subject = AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Subject>() {
+ public Subject run() {
+ return Subject.getSubject(acc);
+ }
+ });
+
+ AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Void>() {
+ public Void run() {
+ subject.getPrivateCredentials().add(ticket);
+ return null;
+ }
+ });
+ }
+
+ public static void checkPrincipalPermission(String principalName, String action) {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null) {
+ ServicePermission sp = new ServicePermission(principalName, action);
+ sm.checkPermission(sp);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
new file mode 100644
index 0000000..9ba718f
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KeyTab;
+
+public final class GssAcceptCred extends GssCredElement {
+
+ private final KeyTab keyTab;
+
+ public static GssAcceptCred getInstance(final GSSCaller caller,
+ GssNameElement name, int lifeTime) throws GSSException {
+
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ KeyTab keyTab = CredUtils.getKeyTabFromContext(princ);
+
+ if (keyTab == null) {
+ throw new GSSException(GSSException.NO_CRED, -1,
+ "Failed to find any Kerberos credential for " + name.getPrincipalName().getName());
+ }
+
+ return new GssAcceptCred(caller, name, keyTab, lifeTime);
+ }
+
+ private GssAcceptCred(GSSCaller caller, GssNameElement name, KeyTab keyTab, int lifeTime) {
+ super(caller, name);
+ this.keyTab = keyTab;
+ this.accLifeTime = lifeTime;
+ }
+
+ public boolean isInitiatorCredential() throws GSSException {
+ return false;
+ }
+
+ public boolean isAcceptorCredential() throws GSSException {
+ return true;
+ }
+
+ public KeyTab getKeyTab() {
+ return this.keyTab;
+ }
+
+ public KerberosKey[] getKeys() {
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ return keyTab.getKeys(princ);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
new file mode 100644
index 0000000..bbb149a
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
@@ -0,0 +1,674 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import com.sun.security.jgss.InquireType;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.gss.GssMechFactory;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.response.ApResponse;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.ChannelBinding;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.security.Provider;
+
+@SuppressWarnings("PMD")
+public class GssContext implements GSSContextSpi {
+
+ private static final int STATE_NONE = 0;
+ private static final int STATE_ESTABLISHING = 1;
+ private static final int STATE_ESTABLISHED = 2;
+ private static final int STATE_DESTROYED = 3;
+
+ private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
+ private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
+
+ private int ctxState = STATE_NONE;
+
+ private final GSSCaller caller;
+ private GssCredElement myCred;
+ private boolean initiator;
+ private GssNameElement myName;
+ private GssNameElement peerName;
+ private int lifeTime;
+ private ChannelBinding channelBinding;
+
+ private boolean mutualAuth = true;
+ private boolean replayDet = true;
+ private boolean sequenceDet = true;
+ private boolean credDeleg = false;
+ private boolean confState = true;
+ private boolean integState = true;
+ private boolean delegPolicy = false;
+
+ public static final int INVALID_KEY = 0;
+ public static final int SESSION_KEY = 1;
+ public static final int INITIATOR_SUBKEY = 2;
+ public static final int ACCEPTOR_SUBKEY = 4;
+ private int keyComesFrom = INVALID_KEY;
+
+ private EncryptionKey sessionKey; // used between client and app server
+ private TicketFlags ticketFlags;
+ private ApReq outApReq;
+
+ private GssEncryptor gssEncryptor;
+
+ // Called on initiator's side.
+ public GssContext(GSSCaller caller, GssNameElement peerName, GssCredElement myCred,
+ int lifeTime)
+ throws GSSException {
+ if (peerName == null) {
+ throw new IllegalArgumentException("Cannot have null peer name");
+ }
+
+ this.caller = caller;
+ this.peerName = peerName;
+ this.myCred = myCred;
+ this.lifeTime = lifeTime;
+ this.initiator = true;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public GssContext(GSSCaller caller, GssAcceptCred myCred)
+ throws GSSException {
+ this.caller = caller;
+ this.myCred = myCred;
+ this.initiator = false;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public GssContext(GSSCaller caller, byte[] interProcessToken)
+ throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported feature");
+ }
+
+ public Provider getProvider() {
+ return new KerbyGssProvider();
+ }
+
+ public void requestLifetime(int lifeTime) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ this.lifeTime = lifeTime;
+ }
+ }
+
+ public void requestMutualAuth(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ mutualAuth = state;
+ }
+ }
+
+ public void requestReplayDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestSequenceDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestCredDeleg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator() && myCred == null) {
+ credDeleg = state;
+ }
+ }
+
+ public void requestAnonymity(boolean state) throws GSSException {
+ // anonymous context not supported
+ }
+
+ public void requestConf(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ confState = state;
+ }
+ }
+
+ public void requestInteg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ integState = state;
+ }
+ }
+
+ public void requestDelegPolicy(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ delegPolicy = state;
+ }
+ }
+
+ public void setChannelBinding(ChannelBinding cb) throws GSSException {
+ this.channelBinding = cb;
+ }
+
+ public boolean getCredDelegState() {
+ return credDeleg;
+ }
+
+ public boolean getMutualAuthState() {
+ return mutualAuth;
+ }
+
+ public boolean getReplayDetState() {
+ return replayDet || sequenceDet;
+ }
+
+ public boolean getSequenceDetState() {
+ return sequenceDet;
+ }
+
+ public boolean getAnonymityState() {
+ return false;
+ }
+
+ public boolean getDelegPolicyState() {
+ return delegPolicy;
+ }
+
+ public boolean isTransferable() throws GSSException {
+ return false;
+ }
+
+ public boolean isProtReady() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public boolean isInitiator() {
+ return initiator;
+ }
+
+ public boolean getConfState() {
+ return confState;
+ }
+
+ public boolean getIntegState() {
+ return integState;
+ }
+
+ public int getLifetime() {
+ return GSSContext.INDEFINITE_LIFETIME;
+ }
+
+ public boolean isEstablished() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public GSSNameSpi getSrcName() throws GSSException {
+ return isInitiator() ? myName : peerName;
+ }
+
+ public GSSNameSpi getTargName() throws GSSException {
+ return !isInitiator() ? myName : peerName;
+ }
+
+ public Oid getMech() throws GSSException {
+ return GssMechFactory.getOid();
+ }
+
+ public GSSCredentialSpi getDelegCred() throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "API not implemented"); // TODO:
+ }
+
+ public byte[] initSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ if (!isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "initSecContext called on acceptor");
+ }
+
+ byte[] ret = null;
+
+ if (ctxState == STATE_NONE) {
+
+ if (!myCred.isInitiatorCredential()) {
+ throw new GSSException(GSSException.NO_CRED, -1, "No TGT available");
+ }
+
+ // check if service ticket already exists
+ // if not, prepare to get it through TGS_REQ
+ SgtTicket sgtTicket = null;
+ String serviceName = peerName.getPrincipalName().getName();
+ myName = (GssNameElement) myCred.getName();
+ PrincipalName clientPrincipal = myName.getPrincipalName();
+
+ sgtTicket = GssUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
+
+ if (sgtTicket == null) {
+ sgtTicket = GssUtil.applySgtCredential(((GssInitCred) myCred).ticket, serviceName);
+
+ // add this service credential to context
+ final KerberosTicket ticket =
+ GssUtil.convertKrbTicketToKerberosTicket(sgtTicket, myName.getPrincipalName().getName());
+ CredUtils.addCredentialToSubject(ticket);
+ }
+
+ ApRequest apRequest = new ApRequest(clientPrincipal, sgtTicket);
+ try {
+ outApReq = apRequest.getApReq();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
+ }
+ setupInitiatorContext(sgtTicket, apRequest);
+ try {
+ ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REQ);
+ outApReq.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
+ }
+
+ ctxState = STATE_ESTABLISHING;
+ if (!getMutualAuthState()) {
+ gssEncryptor = new GssEncryptor(getSessionKey());
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ } else if (ctxState == STATE_ESTABLISHING) {
+ verifyServerToken(is, mechTokenSize);
+ gssEncryptor = new GssEncryptor(getSessionKey());
+ outApReq = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+ return ret;
+ }
+
+ private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException {
+ EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart();
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ setTicketFlags(ticketFlags);
+
+ setAuthTime(encKdcRepPart.getAuthTime().toString());
+
+ Authenticator auth;
+ try {
+ auth = apRequest.getApReq().getAuthenticator();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator");
+ }
+ setMySequenceNumber(auth.getSeqNumber());
+
+ EncryptionKey subKey = auth.getSubKey();
+ if (subKey != null) {
+ setSessionKey(subKey, GssContext.INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(sgt.getSessionKey(), GssContext.SESSION_KEY);
+ }
+
+ if (!getMutualAuthState()) {
+ setPeerSequenceNumber(0);
+ }
+ }
+
+ /**
+ * Verify the AP_REP from server and set context accordingly
+ * @param is
+ * @param mechTokenSize
+ * @return
+ * @throws GSSException
+ * @throws IOException
+ */
+ private void verifyServerToken(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token;
+ ApRep apRep;
+ try {
+ if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
+ }
+ token = new byte[mechTokenSize - MSG_AP_REP.length];
+ is.read(token);
+ apRep = new ApRep();
+ apRep.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep " + e.getMessage());
+ }
+
+ try {
+ ApResponse.validate(getSessionKey(), apRep, outApReq);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApRep verification failed");
+ }
+
+ EncryptionKey key = apRep.getEncRepPart().getSubkey();
+ if (key != null) {
+ setSessionKey(key, ACCEPTOR_SUBKEY);
+ }
+
+ int seqNum = apRep.getEncRepPart().getSeqNumber();
+ setPeerSequenceNumber(seqNum == -1 ? 0 : seqNum);
+ }
+
+ public byte[] acceptSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] ret = null;
+
+ if (isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "acceptSecContext called on initiator");
+ }
+
+ if (ctxState == STATE_NONE) {
+ ctxState = STATE_ESTABLISHING;
+ if (!myCred.isAcceptorCredential()) {
+ throw new GSSException(GSSException.FAILURE, -1, "No acceptor credential available");
+ }
+
+ GssAcceptCred acceptCred = (GssAcceptCred) myCred;
+ CredUtils.checkPrincipalPermission(
+ ((GssNameElement) acceptCred.getName()).getPrincipalName().getName(), "accept");
+
+ if (getMutualAuthState()) {
+ ret = verifyClientToken(acceptCred, is, mechTokenSize);
+ }
+
+ gssEncryptor = new GssEncryptor(getSessionKey());
+
+ myCred = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ return ret;
+ }
+
+ private byte[] verifyClientToken(GssAcceptCred acceptCred, InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token;
+ ApReq apReq;
+ try {
+ if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
+ }
+
+ token = new byte[mechTokenSize - MSG_AP_REQ.length];
+ is.read(token);
+ apReq = new ApReq();
+ apReq.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
+ }
+
+ int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
+ int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
+
+ // Get server key from credential
+ EncryptionKey serverKey = GssUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
+ if (serverKey == null) {
+ throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
+ }
+
+ try {
+ ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
+ }
+
+ ApResponse apResponse = new ApResponse(apReq);
+ ApRep apRep;
+ try {
+ apRep = apResponse.getApRep();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "Generate ApRep failed");
+ }
+
+ EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart();
+
+ EncryptionKey ssKey = apReqTicketEncPart.getKey();
+ Authenticator auth = apReq.getAuthenticator();
+ EncryptionKey subKey = auth.getSubKey();
+
+ if (subKey != null) {
+ setSessionKey(subKey, INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(ssKey, SESSION_KEY);
+ }
+
+ // initial seqNumber
+ int seqNumber = auth.getSeqNumber();
+ setMySequenceNumber(seqNumber);
+ // initial authtime, tktflags, authdata,
+ setAuthTime(apReqTicketEncPart.getAuthTime().toString());
+ setTicketFlags(apReqTicketEncPart.getFlags());
+ setAuthData(apReqTicketEncPart.getAuthorizationData());
+
+ byte[] ret = null;
+ try {
+ ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REP);
+ apRep.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
+ }
+ return ret;
+ }
+
+ public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
+ throws GSSException {
+ if (gssEncryptor.isV2()) {
+ return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ } else {
+ return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ }
+ }
+
+ public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
+ throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ }
+ }
+
+ public byte[] wrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ }
+ return ret;
+ }
+
+ public void unwrap(InputStream is, OutputStream os,
+ MessageProp msgProp) throws GSSException {
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
+ token.unwrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
+ token.unwrap(os);
+ }
+ }
+
+ public byte[] unwrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ }
+ return ret;
+ }
+
+ public void getMIC(InputStream is, OutputStream os,
+ MessageProp msgProp)
+ throws GSSException {
+ }
+
+ public byte[] getMIC(byte[] inMsg, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ return null; // TODO: to be implemented
+ }
+
+ public void verifyMIC(InputStream is, InputStream msgStr,
+ MessageProp msgProp) throws GSSException {
+ }
+
+ public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
+ byte[] inMsg, int msgOffset, int msgLen,
+ MessageProp msgProp) throws GSSException {
+ }
+
+ public byte[] export() throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+ }
+
+ public void dispose() throws GSSException {
+ ctxState = STATE_DESTROYED;
+ setSessionKey(null, 0);
+ peerName = null;
+ myCred = null;
+ myName = null;
+ }
+
+
+ private String authTime;
+ private void setAuthTime(String authTime) {
+ this.authTime = authTime;
+ }
+
+ public Object inquireSecContext(InquireType type) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Invalid context");
+ }
+
+ switch (type) {
+ case KRB5_GET_SESSION_KEY:
+ return getSessionKey();
+ case KRB5_GET_TKT_FLAGS:
+ return GssUtil.ticketFlagsToBooleans(ticketFlags);
+ case KRB5_GET_AUTHZ_DATA:
+ if (isInitiator()) {
+ throw new GSSException(GSSException.UNAVAILABLE, -1,
+ "Authorization data not available for initiator");
+ } else {
+ return GssUtil.kerbyAuthorizationDataToJgssAuthorizationDataEntries(authData);
+ }
+ case KRB5_GET_AUTHTIME:
+ return authTime;
+ }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported inquire type");
+ }
+
+
+ // functions not belong to SPI
+ private void setSessionKey(EncryptionKey encryptionKey, int keyComesFrom) {
+ this.sessionKey = encryptionKey;
+ this.keyComesFrom = keyComesFrom;
+ }
+
+ public int getKeyComesFrom() {
+ return keyComesFrom;
+ }
+
+ private EncryptionKey getSessionKey() {
+ return sessionKey;
+ }
+
+ private void setTicketFlags(TicketFlags ticketFlags) {
+ this.ticketFlags = ticketFlags;
+ }
+
+ private AuthorizationData authData;
+ private void setAuthData(AuthorizationData authData) {
+ this.authData = authData;
+ }
+
+
+ private int mySequenceNumber;
+ private int peerSequenceNumber;
+ private Object mySequenceNumberLock;
+ private Object peerSequenceNumberLock;
+
+ public void setMySequenceNumber(int sequenceNumber) {
+ synchronized (mySequenceNumberLock) {
+ mySequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incMySequenceNumber() {
+ synchronized (mySequenceNumberLock) {
+ return mySequenceNumber++;
+ }
+ }
+
+ public void setPeerSequenceNumber(int sequenceNumber) {
+ synchronized (peerSequenceNumberLock) {
+ peerSequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incPeerSequenceNumber() {
+ synchronized (peerSequenceNumberLock) {
+ return peerSequenceNumber++;
+ }
+ }
+
+ public GssEncryptor getGssEncryptor() {
+ return gssEncryptor;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java
new file mode 100644
index 0000000..657f222
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import java.security.Provider;
+
+public abstract class GssCredElement implements GSSCredentialSpi {
+
+ static final Oid KRB5_OID = createOid("1.2.840.113554.1.2.2");
+
+ protected GSSCaller caller;
+ protected GssNameElement name;
+ protected int initLifeTime;
+ protected int accLifeTime;
+
+ GssCredElement(GSSCaller caller, GssNameElement name) {
+ this.caller = caller;
+ this.name = name;
+ }
+
+ public Provider getProvider() {
+ return new KerbyGssProvider();
+ }
+
+ public void dispose() throws GSSException {
+ }
+
+ public GSSNameSpi getName() throws GSSException {
+ return name;
+ }
+
+ public int getInitLifetime() throws GSSException {
+ return initLifeTime;
+ }
+
+ public int getAcceptLifetime() throws GSSException {
+ return accLifeTime;
+ }
+
+ public Oid getMechanism() {
+ return KRB5_OID;
+ }
+
+ public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "Unsupported feature"); // TODO:
+ }
+
+ private static Oid createOid(String oidStr) {
+ Oid retVal;
+ try {
+ retVal = new Oid(oidStr);
+ } catch (GSSException e) {
+ retVal = null; // get rid of blank catch block warning
+ }
+ return retVal;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java
new file mode 100644
index 0000000..4eb96e3
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java
@@ -0,0 +1,388 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.ietf.jgss.GSSException;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * This class implements encryption related function used in GSS tokens
+ */
+public class GssEncryptor {
+
+ private final EncryptionKey encKey;
+ private final EncryptionType encKeyType; // The following two variables used for convenience
+ private final byte[] encKeyBytes;
+
+ private CheckSumType checkSumTypeDef;
+ private int checkSumSize;
+
+ private boolean isV2 = false;
+ private int sgnAlg = 0xFFFF;
+ private int sealAlg = 0xFFFF;
+ private boolean isArcFourHmac = false;
+
+ private static final byte[] IV_ZEROR_8B = new byte[8];
+
+ public GssEncryptor(EncryptionKey key) throws GSSException {
+ encKey = key;
+ encKeyBytes = encKey.getKeyData();
+ encKeyType = key.getKeyType();
+
+ if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
+ isV2 = true;
+ } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
+ isV2 = true;
+ } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
+ sgnAlg = GssTokenV1.SGN_ALG_DES_MAC_MD5;
+ sealAlg = GssTokenV1.SEAL_ALG_DES;
+ checkSumSize = 8;
+ } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
+ sgnAlg = GssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
+ sealAlg = GssTokenV1.SEAL_ALG_DES3_KD;
+ checkSumSize = 20;
+ } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
+ sgnAlg = GssTokenV1.SGN_ALG_RC4_HMAC;
+ sealAlg = GssTokenV1.SEAL_ALG_RC4_HMAC;
+ checkSumSize = 16;
+ isArcFourHmac = true;
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Invalid encryption type: " + encKeyType.getDisplayName());
+ }
+ }
+
+ /**
+ * Return true if it is encryption type defined in RFC 4121
+ * @return
+ */
+ public boolean isV2() {
+ return isV2;
+ }
+
+ public int getSgnAlg() {
+ return sgnAlg;
+ }
+
+ public int getSealAlg() {
+ return sealAlg;
+ }
+
+ public boolean isArcFourHmac() {
+ return isArcFourHmac;
+ }
+
+ public byte[] encryptData(byte[] tokenHeader, byte[] data,
+ int offset, int len, int keyUsage) throws GSSException {
+ byte[] ret;
+ byte[] toProcess = new byte[tokenHeader.length + len];
+ System.arraycopy(data, offset, toProcess, 0, len);
+ System.arraycopy(tokenHeader, 0, toProcess, len, tokenHeader.length);
+
+ ret = encryptData(toProcess, keyUsage);
+ return ret;
+ }
+
+ public byte[] encryptData(byte[] toProcess, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.encrypt(toProcess, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] decryptData(byte[] dataEncrypted, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.decrypt(dataEncrypted, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] calculateCheckSum(byte[] header, byte[] data, int offset, int len, int keyUsage)
+ throws GSSException {
+ int totalLen = len + (header == null ? 0 : header.length);
+ byte[] buffer = new byte[totalLen];
+ System.arraycopy(data, offset, buffer, 0, len);
+ if (header != null) {
+ System.arraycopy(header, 0, buffer, len, header.length);
+ }
+
+ try {
+ return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
+ .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in checksum calculation:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return checkSumSize;
+ }
+
+
+ private void addPadding(int paddingLen, byte[] outBuf, int offset) {
+ for (int i = 0; i < paddingLen; i++) {
+ outBuf[offset + i] = (byte) paddingLen;
+ }
+ }
+
+ private byte[] getFirstBytes(byte[] src, int len) {
+ if (len < src.length) {
+ byte[] ret = new byte[len];
+ System.arraycopy(src, 0, ret, 0, len);
+ return ret;
+ }
+ return src;
+ }
+
+ private byte[] getKeyBytesWithLength(int len) {
+ return getFirstBytes(encKeyBytes, len);
+ }
+
+ public byte[] calculateCheckSum(byte[] confounder, byte[] header,
+ byte[] data, int offset, int len, int paddingLen, boolean isMic)
+ throws GSSException {
+ byte[] ret;
+ int keyUsage = GssTokenV1.KG_USAGE_SIGN;
+ CheckSumTypeHandler handler;
+
+ int keySize;
+ byte[] key;
+ byte[] toProc;
+ int toOffset;
+ int toLen = (confounder == null ? 0 : confounder.length)
+ + (header == null ? 0 : header.length) + len + paddingLen;
+ if (toLen == len) {
+ toProc = data;
+ toOffset = offset;
+ } else {
+ toOffset = 0;
+ int idx = 0;
+ toProc = new byte[toLen];
+
+ if (header != null) {
+ System.arraycopy(header, 0, toProc, idx, header.length);
+ idx += header.length;
+ }
+
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, idx, confounder.length);
+ idx += confounder.length;
+ }
+
+ System.arraycopy(data, offset, toProc, idx, len);
+ addPadding(paddingLen, toProc, len + idx);
+ }
+
+ CheckSumType chksumType;
+ try {
+ switch (sgnAlg) {
+ case GssTokenV1.SGN_ALG_DES_MAC_MD5:
+ Md5Provider md5Provider = new Md5Provider();
+ md5Provider.hash(toProc);
+ toProc = md5Provider.output();
+
+ case GssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
+
+ case GssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
+ break;
+ case GssTokenV1.SGN_ALG_RC4_HMAC:
+ chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
+ if (isMic) {
+ keyUsage = GssTokenV1.KG_USAGE_MS_SIGN;
+ }
+ break;
+ case GssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
+ }
+ handler = CheckSumHandler.getCheckSumHandler(chksumType);
+ keySize = handler.keySize();
+ key = getKeyBytesWithLength(keySize);
+ ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
+ throws GSSException {
+ EncTypeHandler handler;
+ try {
+ switch (sgnAlg) {
+ case GssTokenV1.SGN_ALG_DES_MAC_MD5:
+ case GssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ byte[] data = seqBytes.clone();
+ if (encrypt) {
+ desProvider.encrypt(encKeyBytes, ivSrc, data);
+ } else {
+ desProvider.decrypt(encKeyBytes, ivSrc, data);
+ }
+ return data;
+ case GssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case GssTokenV1.SGN_ALG_RC4_HMAC:
+ return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
+ case GssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
+ }
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ int ivLen = handler.encProvider().blockSize();
+ byte[] iv = getFirstBytes(ivSrc, ivLen);
+ if (encrypt) {
+ return handler.encryptRaw(seqBytes, key, iv, GssTokenV1.KG_USAGE_SEQ);
+ } else {
+ return handler.decryptRaw(seqBytes, key, iv, GssTokenV1.KG_USAGE_SEQ);
+ }
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
+ }
+ }
+
+ private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
+ try {
+ SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
+ Mac mac = Mac.getInstance("HmacMD5");
+ mac.init(secretKey);
+ return mac.doFinal(salt);
+ } catch (Exception e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
+ throws GSSException {
+ byte[] sk1 = getHmacMd5(key, new byte[4]);
+ byte[] sk2 = getHmacMd5(sk1, iv);
+ Rc4Provider provider = new Rc4Provider();
+ try {
+ byte[] ret = data.clone();
+ if (encrypt) {
+ provider.encrypt(sk2, ret);
+ } else {
+ provider.decrypt(sk2, ret);
+ }
+ return ret;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
+ byte[] dataKey = new byte[key.length];
+ for (int i = 0; i <= 15; i++) {
+ dataKey[i] = (byte) (key[i] ^ 0xF0);
+ }
+ return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
+ }
+
+ public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
+ int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
+ byte[] toProc;
+ if (encrypt) {
+ int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
+ int index = 0;
+ toProc = new byte[toLen];
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, 0, confounder.length);
+ index += confounder.length;
+ }
+ System.arraycopy(data, offset, toProc, index, len);
+ addPadding(paddingLen, toProc, index + len);
+ } else {
+ toProc = data;
+ if (data.length != len) {
+ toProc = new byte[len];
+ System.arraycopy(data, offset, toProc, 0, len);
+ }
+ }
+ EncTypeHandler handler;
+ try {
+ switch (sealAlg) {
+ case GssTokenV1.SEAL_ALG_DES:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
+ break;
+ case GssTokenV1.SEAL_ALG_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case GssTokenV1.SEAL_ALG_RC4_HMAC:
+ return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
+ }
+
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ if (encrypt) {
+ return handler.encryptRaw(toProc, key, GssTokenV1.KG_USAGE_SEAL);
+ } else {
+ return handler.decryptRaw(toProc, key, GssTokenV1.KG_USAGE_SEAL);
+ }
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
new file mode 100644
index 0000000..0b2516d
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public final class GssInitCred extends GssCredElement {
+
+ public KerberosTicket ticket;
+
+ private GssInitCred(GSSCaller caller, GssNameElement name, KerberosTicket ticket, int lifeTime) {
+ super(caller, name);
+ this.ticket = ticket;
+ this.initLifeTime = lifeTime;
+ }
+
+ public static GssInitCred getInstance(GSSCaller caller, GssNameElement name, int lifeTime) throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
+ return new GssInitCred(caller, name, ticket, lifeTime);
+ }
+
+ public boolean isInitiatorCredential() throws GSSException {
+ return true;
+ }
+
+ public boolean isAcceptorCredential() throws GSSException {
+ return false;
+ }
+
+ public KerberosTicket getKerberosTicket() {
+ return ticket;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java
new file mode 100644
index 0000000..bd5c8a4
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java
@@ -0,0 +1,135 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.gss.GssMechFactory;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.apache.kerby.kerberos.kerb.type.base.NameType;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.spi.GSSNameSpi;
+import java.io.UnsupportedEncodingException;
+import java.security.Provider;
+
+public class GssNameElement implements GSSNameSpi {
+
+ private PrincipalName principalName;
+ private Oid nameType = null;
+
+ GssNameElement(PrincipalName principalName,
+ Oid nameType) {
+ this.principalName = principalName;
+ this.nameType = nameType;
+ }
+
+ public PrincipalName toKerbyPrincipalName(sun.security.krb5.PrincipalName name) {
+ return new PrincipalName(name.getNameString(), toKerbyNameType(name.getNameType()));
+ }
+
+ private NameType toKerbyNameType(int intNameType) {
+ return NameType.fromValue(intNameType);
+ }
+
+ public static NameType toKerbyNameType(Oid nameType) throws GSSException {
+ NameType kerbyNameType;
+
+ if (nameType == null) {
+ throw new GSSException(GSSException.BAD_NAMETYPE);
+ }
+
+ if (nameType.equals(GSSName.NT_EXPORT_NAME) || nameType.equals(GSSName.NT_USER_NAME)) {
+ kerbyNameType = NameType.NT_PRINCIPAL;
+ } else if (nameType.equals(GSSName.NT_HOSTBASED_SERVICE)) {
+ kerbyNameType = NameType.NT_SRV_HST;
+ } else {
+ throw new GSSException(GSSException.BAD_NAMETYPE, 0, "Unsupported Oid name type");
+ }
+ return kerbyNameType;
+ }
+
+ public static GssNameElement getInstance(String name, Oid oidNameType)
+ throws GSSException {
+ PrincipalName principalName = new PrincipalName(name, toKerbyNameType(oidNameType));
+ return new GssNameElement(principalName, oidNameType);
+ }
+
+ public Provider getProvider() {
+ return new KerbyGssProvider();
+ }
+
+ public boolean equals(GSSNameSpi name) throws GSSException {
+ if (name == null || name.isAnonymousName() || isAnonymousName()) {
+ return false;
+ }
+ return this.toString().equals(name.toString()) && this.getStringNameType().equals(name.getStringNameType());
+ }
+
+ public final PrincipalName getPrincipalName() {
+ return principalName;
+ }
+
+ public boolean equals(Object another) {
+ if (another == null) {
+ return false;
+ }
+
+ try {
+ if (another instanceof GSSNameSpi) {
+ return equals((GSSNameSpi) another);
+ }
+ } catch (GSSException e) {
+ return false;
+ }
+
+ return false;
+ }
+
+ public int hashCode() {
+ return principalName.hashCode();
+ }
+
+ public byte[] export() throws GSSException {
+ byte[] retVal;
+ try {
+ retVal = principalName.getName().getBytes("UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
+ }
+ return retVal;
+ }
+
+ public Oid getMechanism() {
+ return GssMechFactory.getOid();
+ }
+
+ public String toString() {
+ return principalName.toString();
+ }
+
+ public Oid getStringNameType() {
+ return nameType;
+ }
+
+ public boolean isAnonymousName() {
+ return nameType.equals(GSSName.NT_ANONYMOUS);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java
new file mode 100644
index 0000000..ec66aa5
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+public abstract class GssTokenBase {
+ public static final int TOKEN_WRAP_V1 = 0x201;
+ public static final int TOKEN_MIC_V1 = 0x101;
+ public static final int TOKEN_WRAP_V2 = 0x504;
+ public static final int TOKEN_MIC_V2 = 0x404;
+
+ public void writeBigEndian(byte[] buf, int offset, int value) {
+ buf[offset] = (byte) (value >>> 24);
+ buf[offset + 1] = (byte) (value >>> 16);
+ buf[offset + 2] = (byte) (value >>> 8);
+ buf[offset + 3] = (byte) (value);
+ }
+
+ public int readBigEndian(byte[] buf, int offset) {
+ int value = 0;
+ value += (buf[offset] & 0xFF) << 24;
+ value += (buf[offset + 1] & 0xFF) << 16;
+ value += (buf[offset + 2] & 0xFF) << 8;
+ value += buf[offset + 3] & 0xFF;
+ return value;
+ }
+
+ /**
+ *
+ * @param buf
+ * @param offset
+ * @param len should not be larger than sizeof(int)
+ * @return
+ */
+ public int readBigEndian(byte[] buf, int offset, int len) {
+ int value = 0;
+ for (int i = 0; i < len; i++) {
+ value += (buf[offset + i] & 0xFF) << 8;
+ }
+ return value;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/976b16cf/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
new file mode 100644
index 0000000..1f063c3
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
@@ -0,0 +1,319 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 1964 and its updates
+ *
+ * The GSS Wrap token has the following format:
+ *
+ * Byte no Name Description
+ * 0..1 TOK_ID 0201
+ *
+ * 2..3 SGN_ALG Checksum algorithm indicator.
+ * 00 00 DES MAC MD5
+ * 01 00 MD2.5
+ * 02 00 DES MAC
+ * 04 00 HMAC SHA1 DES3-KD
+ * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
+ * 4..5 SEAL_ALG ff ff none
+ * 00 00 DES
+ * 02 00 DES3-KD
+ * 10 00 RC4-HMAC
+ * 6..7 Filler FF FF
+ * 8..15 SND_SEQ Encrypted sequence number field.
+ * 16..23 SNG_CKSUM Checksum of plaintext padded data,
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ * 24.. Data Encrypted or plaintext padded data
+ *
+ *
+ *
+ * Use of the GSS MIC token has the following format:
+
+ * Byte no Name Description
+ * 0..1 TOK_ID 0101
+ * 2..3 SGN_ALG Integrity algorithm indicator.
+ * 4..7 Filler Contains ff ff ff ff
+ * 8..15 SND_SEQ Sequence number field.
+ * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ *
+ */
+abstract class GssTokenV1 extends GssTokenBase {
+ // SGN ALG
+ public static final int SGN_ALG_DES_MAC_MD5 = 0;
+ public static final int SGN_ALG_MD25 = 0x0100;
+ public static final int SGN_ALG_DES_MAC = 0x0200;
+ public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
+ public static final int SGN_ALG_RC4_HMAC = 0x1100;
+
+ // SEAL ALG
+ public static final int SEAL_ALG_NONE = 0xFFFF;
+ public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
+ public static final int SEAL_ALG_DES3_KD = 0x0200;
+ public static final int SEAL_ALG_RC4_HMAC = 0x1000;
+
+ public static final int KG_USAGE_SEAL = 22;
+ public static final int KG_USAGE_SIGN = 23;
+ public static final int KG_USAGE_SEQ = 24;
+ public static final int KG_USAGE_MS_SIGN = 15;
+
+ private boolean isInitiator;
+ private boolean confState;
+ private int sequenceNumber;
+
+ protected GssEncryptor encryptor;
+
+ private GSSHeader gssHeader;
+
+ public static final int TOKEN_HEADER_COMM_SIZE = 8;
+ public static final int TOKEN_HEADER_SEQ_SIZE = 8;
+
+ // Token commHeader data
+ private int tokenType;
+ private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
+ private int sgnAlg;
+ private int sealAlg;
+
+ private byte[] plainSequenceBytes;
+ private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
+ private byte[] checkSum;
+ private int checkSumSize;
+
+ protected int reconHeaderLen; // only used for certain reason
+
+ public static ObjectIdentifier objId;
+
+ static {
+ try {
+ objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
+ } catch (IOException ioe) { // NOPMD
+ }
+ }
+
+ protected int getTokenHeaderSize() {
+ return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
+ }
+
+ protected byte[] getPlainSequenceBytes() {
+ byte[] ret = new byte[4];
+ ret[0] = plainSequenceBytes[0];
+ ret[1] = plainSequenceBytes[1];
+ ret[2] = plainSequenceBytes[2];
+ ret[3] = plainSequenceBytes[3];
+ return ret;
+ }
+
+ // Generate a new token
+ GssTokenV1(int tokenType, GssContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ createTokenHeader();
+ }
+
+ // Reconstruct a token
+ GssTokenV1(int tokenType, GssContext context, MessageProp prop,
+ byte[] token, int offset, int size) throws GSSException {
+ int proxLen = size > 64 ? 64 : size;
+ InputStream is = new ByteArrayInputStream(token, offset, proxLen);
+ reconstructInitializaion(tokenType, context, prop, is);
+ reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
+ }
+
+ // Reconstruct a token
+ GssTokenV1(int tokenType, GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ reconstructInitializaion(tokenType, context, prop, is);
+ }
+
+ private void reconstructInitializaion(int tokenType, GssContext context, MessageProp prop, InputStream is)
+ throws GSSException {
+ initialize(tokenType, context, true);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ try {
+ gssHeader = new GSSHeader(is);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
+ }
+
+ if (!gssHeader.getOid().equals((Object) objId)) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
+ }
+
+ reconstructTokenHeader(is, prop);
+ }
+
+ private void initialize(int tokenType,
+ GssContext context,
+ boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.confState = context.getConfState();
+ this.encryptor = context.getGssEncryptor();
+ this.checkSumSize = encryptor.getCheckSumSize();
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ } else {
+ checkSum = new byte[checkSumSize];
+ }
+ }
+
+ protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ prop.setQOP(0);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ encryptSequenceNumber();
+ }
+
+ protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
+ throws GSSException {
+ byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ if (!MessageDigest.isEqual(checkSum, sum)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ }
+
+ private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
+ tokenType == TOKEN_MIC_V1);
+ }
+
+ private void encryptSequenceNumber() throws GSSException {
+ plainSequenceBytes = new byte[8];
+ if (encryptor.isArcFourHmac()) {
+ writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
+ } else {
+ plainSequenceBytes[0] = (byte) sequenceNumber;
+ plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
+ plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
+ plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
+ }
+
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!isInitiator) {
+ plainSequenceBytes[4] = (byte) 0xFF;
+ plainSequenceBytes[5] = (byte) 0xFF;
+ plainSequenceBytes[6] = (byte) 0xFF;
+ plainSequenceBytes[7] = (byte) 0xFF;
+ }
+
+ encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
+ }
+
+ public void encodeHeader(OutputStream os) throws GSSException, IOException {
+ // | GSSHeader | TokenHeader |
+ GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
+ gssHeader.encode(os);
+ os.write(commHeader);
+ os.write(encryptedSequenceNumber);
+ os.write(checkSum);
+ }
+
+ private void createTokenHeader() {
+ commHeader[0] = (byte) (tokenType >>> 8);
+ commHeader[1] = (byte) tokenType;
+
+ sgnAlg = encryptor.getSgnAlg();
+ commHeader[2] = (byte) (sgnAlg >>> 8);
+ commHeader[3] = (byte) sgnAlg;
+
+ if (tokenType == TOKEN_WRAP_V1) {
+ sealAlg = encryptor.getSealAlg();
+ commHeader[4] = (byte) (sealAlg >>> 8);
+ commHeader[5] = (byte) sealAlg;
+ } else {
+ commHeader[4] = (byte) 0xFF;
+ commHeader[5] = (byte) 0xFF;
+ }
+
+ commHeader[6] = (byte) 0xFF;
+ commHeader[7] = (byte) 0xFF;
+ }
+
+ // Re-construct token commHeader
+ private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
+ try {
+ if (is.read(commHeader) != commHeader.length
+ || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
+ || is.read(checkSum) != checkSum.length) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Insufficient in reconstruct token header");
+ }
+ initTokenHeader(commHeader, prop);
+
+ plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
+ byte dirc = isInitiator ? (byte) 0xFF : 0;
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
+ && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in reconstruct token header:" + e.getMessage());
+ }
+ }
+
+ private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
+ int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
+ if (tokenType != tokenIDRecv) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
+ sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
+
+ if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
+ }
+
+ prop.setQOP(0);
+ prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
+ }
+
+ protected GSSHeader getGssHeader() {
+ return gssHeader;
+ }
+
+ abstract int getTokenSizeWithoutGssHeader();
+}
[10/18] directory-kerby git commit: DIRKRB-581 - Imcompatible token
header in init context against JDK GssApi. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-581 - Imcompatible token header in init context against JDK GssApi. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2bc1ac75
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2bc1ac75
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2bc1ac75
Branch: refs/heads/trunk
Commit: 2bc1ac75c435f1ae09dfea492f6a655329763bd5
Parents: 19f2756
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:57:55 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:57:55 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 31 ++++++++++++++++----
1 file changed, 26 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2bc1ac75/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index eba2a26..5395afd 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -48,6 +48,7 @@ import javax.security.auth.kerberos.KerberosTicket;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.ByteBuffer;
import java.security.Provider;
@SuppressWarnings("PMD")
@@ -58,6 +59,9 @@ public class KerbyContext implements GSSContextSpi {
private static final int STATE_ESTABLISHED = 2;
private static final int STATE_DESTROYED = 3;
+ private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
+ private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
+
private int ctxState = STATE_NONE;
private final GSSCaller caller;
@@ -289,7 +293,11 @@ public class KerbyContext implements GSSContextSpi {
}
setupInitiatorContext(sgtTicket, apRequest);
try {
- ret = outApReq.encode();
+ ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REQ);
+ outApReq.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
} catch (IOException e) {
throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
}
@@ -346,9 +354,13 @@ public class KerbyContext implements GSSContextSpi {
*/
private void verifyServerToken(InputStream is, int mechTokenSize)
throws GSSException {
- byte[] token = new byte[mechTokenSize];
+ byte[] token;
ApRep apRep;
try {
+ if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
+ }
+ token = new byte[mechTokenSize - MSG_AP_REP.length];
is.read(token);
apRep = new ApRep();
apRep.decode(token);
@@ -404,14 +416,19 @@ public class KerbyContext implements GSSContextSpi {
private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
throws GSSException {
- byte[] token = new byte[mechTokenSize];
+ byte[] token;
ApReq apReq;
try {
+ if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
+ }
+
+ token = new byte[mechTokenSize - MSG_AP_REQ.length];
is.read(token);
apReq = new ApReq();
apReq.decode(token);
} catch (IOException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid" + e.getMessage());
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
}
int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
@@ -459,7 +476,11 @@ public class KerbyContext implements GSSContextSpi {
byte[] ret = null;
try {
- ret = apRep.encode();
+ ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REP);
+ apRep.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
} catch (IOException e) {
throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
}
[08/18] directory-kerby git commit: DIRKRB-571 - Add encryptRaw
interface for GssToken encryption
Posted by co...@apache.org.
DIRKRB-571 - Add encryptRaw interface for GssToken encryption
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/135a67f4
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/135a67f4
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/135a67f4
Branch: refs/heads/trunk
Commit: 135a67f4a41b65d8dba60c30aabf683a81bf58f7
Parents: 706b85e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:55:56 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:55:56 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/crypto/EncTypeHandler.java | 12 +++
.../kerb/crypto/enc/AbstractEncTypeHandler.java | 40 +++++++++-
.../kerberos/kerb/crypto/enc/DesCbcEnc.java | 25 ++++++-
.../kerby/kerberos/kerb/crypto/enc/KeKiEnc.java | 77 +++++++++++---------
.../kerberos/kerb/crypto/enc/Rc4HmacEnc.java | 13 +++-
5 files changed, 125 insertions(+), 42 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/135a67f4/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
index 09bad5d..ac40935 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
@@ -54,9 +54,21 @@ public interface EncTypeHandler extends CryptoTypeHandler {
byte[] encrypt(byte[] data, byte[] key, byte[] ivec,
int usage) throws KrbException;
+ byte[] encryptRaw(byte[] data, byte[] key, int usage)
+ throws KrbException;
+
+ byte[] encryptRaw(byte[] data, byte[] key, byte[] ivec,
+ int usage) throws KrbException;
+
byte[] decrypt(byte[] cipher, byte[] key, int usage)
throws KrbException;
byte[] decrypt(byte[] cipher, byte[] key, byte[] ivec,
int usage) throws KrbException;
+
+ byte[] decryptRaw(byte[] data, byte[] key, int usage)
+ throws KrbException;
+
+ byte[] decryptRaw(byte[] cipher, byte[] key, byte[] ivec,
+ int usage) throws KrbException;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/135a67f4/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
index 28303c0..3d8c432 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
@@ -123,12 +123,29 @@ public abstract class AbstractEncTypeHandler
int[] workLens = new int[] {confounderLen, checksumLen,
inputLen, paddingLen};
- encryptWith(workBuffer, workLens, key, iv, usage);
+ encryptWith(workBuffer, workLens, key, iv, usage, false);
+ return workBuffer;
+ }
+
+ @Override
+ public byte[] encryptRaw(byte[] data, byte[] key, int usage) throws KrbException {
+ byte[] iv = new byte[encProvider().blockSize()];
+ return encryptRaw(data, key, iv, usage);
+ }
+
+ @Override
+ public byte[] encryptRaw(byte[] data, byte[] key, byte[] iv, int usage) throws KrbException {
+ int checksumLen = checksumSize();
+ int[] workLens = new int[] {0, checksumLen, data.length, 0};
+ byte[] workBuffer = new byte[data.length];
+ System.arraycopy(data, 0, workBuffer, 0, data.length);
+
+ encryptWith(workBuffer, workLens, key, iv, usage, true);
return workBuffer;
}
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
}
@@ -147,11 +164,26 @@ public abstract class AbstractEncTypeHandler
int dataLen = totalLen - (confounderLen + checksumLen);
int[] workLens = new int[] {confounderLen, checksumLen, dataLen};
- return decryptWith(cipher, workLens, key, iv, usage);
+ return decryptWith(cipher, workLens, key, iv, usage, false);
+ }
+
+ @Override
+ public byte[] decryptRaw(byte[] cipher, byte[] key, int usage)
+ throws KrbException {
+ byte[] iv = new byte[encProvider().blockSize()];
+ return decryptRaw(cipher, key, iv, usage);
+ }
+
+ @Override
+ public byte[] decryptRaw(byte[] cipher, byte[] key, byte[] iv, int usage)
+ throws KrbException {
+ int checksumLen = checksumSize();
+ int[] workLens = new int[] {0, checksumLen, cipher.length};
+ return decryptWith(cipher, workLens, key, iv, usage, true);
}
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
return null;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/135a67f4/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
index 6834d0b..f57c498 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
@@ -58,7 +58,16 @@ abstract class DesCbcEnc extends AbstractEncTypeHandler {
@Override
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (!raw) {
+ doEncryptWith(workBuffer, workLens, key, iv);
+ } else {
+ encProvider().encrypt(key, iv, workBuffer);
+ }
+ }
+
+ private void doEncryptWith(byte[] workBuffer, int[] workLens,
+ byte[] key, byte[] iv) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
@@ -83,7 +92,19 @@ abstract class DesCbcEnc extends AbstractEncTypeHandler {
@Override
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (!raw) {
+ return doDecryptWith(workBuffer, workLens, key, iv);
+ } else {
+ encProvider().decrypt(key, iv, workBuffer);
+ byte[] data = new byte[workBuffer.length];
+ System.arraycopy(workBuffer, 0, data, 0, data.length);
+ return data;
+ }
+ }
+
+ private byte[] doDecryptWith(byte[] workBuffer, int[] workLens,
+ byte[] key, byte[] iv) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/135a67f4/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
index 23e7a6c..6e98d2a 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
@@ -52,7 +52,7 @@ public abstract class KeKiEnc extends AbstractEncTypeHandler {
@Override
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int inputLen = workLens[2];
@@ -75,31 +75,35 @@ public abstract class KeKiEnc extends AbstractEncTypeHandler {
* so need to adjust the workBuffer arrangement
*/
- byte[] tmpEnc = new byte[confounderLen + inputLen + paddingLen];
- // confounder
- byte[] confounder = Confounder.makeBytes(confounderLen);
- System.arraycopy(confounder, 0, tmpEnc, 0, confounderLen);
-
- // data
- System.arraycopy(workBuffer, confounderLen + checksumLen,
- tmpEnc, confounderLen, inputLen);
-
- // padding
- for (int i = confounderLen + inputLen; i < paddingLen; ++i) {
- tmpEnc[i] = 0;
+ if (!raw) {
+ byte[] tmpEnc = new byte[confounderLen + inputLen + paddingLen];
+ // confounder
+ byte[] confounder = Confounder.makeBytes(confounderLen);
+ System.arraycopy(confounder, 0, tmpEnc, 0, confounderLen);
+
+ // data
+ System.arraycopy(workBuffer, confounderLen + checksumLen,
+ tmpEnc, confounderLen, inputLen);
+
+ // padding
+ for (int i = confounderLen + inputLen; i < paddingLen; ++i) {
+ tmpEnc[i] = 0;
+ }
+
+ // checksum & encrypt
+ byte[] checksum = makeChecksum(ki, tmpEnc, checksumLen);
+ encProvider().encrypt(ke, iv, tmpEnc);
+
+ System.arraycopy(tmpEnc, 0, workBuffer, 0, tmpEnc.length);
+ System.arraycopy(checksum, 0, workBuffer, tmpEnc.length, checksum.length);
+ } else {
+ encProvider().encrypt(ke, iv, workBuffer);
}
-
- // checksum & encrypt
- byte[] checksum = makeChecksum(ki, tmpEnc, checksumLen);
- encProvider().encrypt(ke, iv, tmpEnc);
-
- System.arraycopy(tmpEnc, 0, workBuffer, 0, tmpEnc.length);
- System.arraycopy(checksum, 0, workBuffer, tmpEnc.length, checksum.length);
}
@Override
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
@@ -116,20 +120,25 @@ public abstract class KeKiEnc extends AbstractEncTypeHandler {
byte[] tmpEnc = new byte[confounderLen + dataLen];
System.arraycopy(workBuffer, 0,
tmpEnc, 0, confounderLen + dataLen);
- byte[] checksum = new byte[checksumLen];
- System.arraycopy(workBuffer, confounderLen + dataLen,
- checksum, 0, checksumLen);
-
- encProvider().decrypt(ke, iv, tmpEnc);
- byte[] newChecksum = makeChecksum(ki, tmpEnc, checksumLen);
-
- if (!checksumEqual(checksum, newChecksum)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY);
+ if (!raw) {
+ byte[] checksum = new byte[checksumLen];
+ System.arraycopy(workBuffer, confounderLen + dataLen,
+ checksum, 0, checksumLen);
+
+ encProvider().decrypt(ke, iv, tmpEnc);
+ byte[] newChecksum = makeChecksum(ki, tmpEnc, checksumLen);
+
+ if (!checksumEqual(checksum, newChecksum)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY);
+ }
+
+ byte[] data = new byte[dataLen];
+ System.arraycopy(tmpEnc, confounderLen, data, 0, dataLen);
+ return data;
+ } else {
+ encProvider().decrypt(ke, iv, tmpEnc);
+ return tmpEnc;
}
-
- byte[] data = new byte[dataLen];
- System.arraycopy(tmpEnc, confounderLen, data, 0, dataLen);
- return data;
}
protected abstract byte[] makeChecksum(byte[] key, byte[] data, int hashSize)
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/135a67f4/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
index 2f4aa59..f9a2f49 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
@@ -80,8 +80,13 @@ public class Rc4HmacEnc extends AbstractEncTypeHandler {
return CheckSumType.HMAC_MD5_ARCFOUR;
}
+ @Override
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (raw) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP,
+ "Raw mode not supported for this encryption type");
+ }
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
@@ -133,7 +138,11 @@ public class Rc4HmacEnc extends AbstractEncTypeHandler {
@Override
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (raw) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP,
+ "Raw mode not supported for this encryption type");
+ }
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
[09/18] directory-kerby git commit: DIRKRB-576 - Add test for
client-server based on Kerby GssApi. Thanks to Wei Zhou
Posted by co...@apache.org.
DIRKRB-576 - Add test for client-server based on Kerby GssApi. Thanks to Wei Zhou
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/19f27565
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/19f27565
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/19f27565
Branch: refs/heads/trunk
Commit: 19f27565d45e9c3a07ed7fe61f20d1c382eae8ad
Parents: 135a67f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:57:18 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:57:40 2017 +0100
----------------------------------------------------------------------
kerby-kerb/integration-test/pom.xml | 5 +++
.../kerb/integration/test/KerbyGssAppTest.java | 41 ++++++++++++++++++++
2 files changed, 46 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/19f27565/kerby-kerb/integration-test/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/pom.xml b/kerby-kerb/integration-test/pom.xml
index 07b571a..6b17cb5 100644
--- a/kerby-kerb/integration-test/pom.xml
+++ b/kerby-kerb/integration-test/pom.xml
@@ -45,6 +45,11 @@
<version>${project.version}</version>
</dependency>
<dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-gssapi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>${slf4j.version}</version>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/19f27565/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
new file mode 100644
index 0000000..d9030df
--- /dev/null
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.integration.test;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import java.security.Provider;
+
+public class KerbyGssAppTest extends GssAppTest {
+
+ @Before
+ @Override
+ public void setUp() throws Exception {
+ Provider provider = new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ java.security.Security.insertProviderAt(provider, 1);
+ super.setUp();
+ }
+
+ @Test
+ public void test() throws Exception {
+ super.test();
+ }
+}
[18/18] directory-kerby git commit: Fixing dead code warning
Posted by co...@apache.org.
Fixing dead code warning
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/cc107ac1
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/cc107ac1
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/cc107ac1
Branch: refs/heads/trunk
Commit: cc107ac19eaa401934a472dd69988ea572594f9c
Parents: 6bf7ddb
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 16:03:02 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 16:03:02 2017 +0100
----------------------------------------------------------------------
.../apache/kerby/kerberos/kerb/gss/impl/GssUtil.java | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/cc107ac1/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
index 6b55ea9..0ee6d2c 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -304,11 +304,16 @@ public class GssUtil {
public static KrbClientBase getKrbClient() {
KrbClientBase client;
try {
- File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
- if (confSpecified != null) {
- client = new KrbClientBase(confSpecified);
+ String systemProperty = getSystemProperty("java.security.krb5.conf");
+ if (systemProperty != null) {
+ File confSpecified = new File(systemProperty);
+ if (confSpecified.exists()) {
+ client = new KrbClientBase(confSpecified);
+ } else {
+ client = new KrbClientBase(); // get configure file from environment variable or default path
+ }
} else {
- client = new KrbClientBase(); // get configure file from environment variable or default path
+ client = new KrbClientBase();
}
return client;
[15/18] directory-kerby git commit: Fixing some problems with the
merges
Posted by co...@apache.org.
Fixing some problems with the merges
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/ee2e516a
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/ee2e516a
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/ee2e516a
Branch: refs/heads/trunk
Commit: ee2e516ac6b2ff3a60186d1fa1c2bcfaae4dc040
Parents: 976b16c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 15:01:11 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 15:01:11 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gss/impl/GssContext.java | 102 ++++++++++++++++---
1 file changed, 87 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/ee2e516a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
index bbb149a..9d63d1c 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
@@ -442,7 +442,8 @@ public class GssContext implements GSSContextSpi {
}
try {
- ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ ApRequest.validate(serverKey, apReq,
+ channelBinding == null ? null : channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
} catch (KrbException e) {
throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
}
@@ -502,12 +503,22 @@ public class GssContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
+
+ int len;
+ byte[] inBuf;
+ try {
+ len = is.available();
+ inBuf = new byte[len];
+ is.read(inBuf);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:" + e.getMessage());
+ }
if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
- token.wrap(os);
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
} else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
- token.wrap(os);
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
}
}
@@ -518,17 +529,21 @@ public class GssContext implements GSSContextSpi {
}
byte[] ret;
if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
} else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
}
return ret;
}
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+
if (gssEncryptor.isV2()) {
WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
token.unwrap(os);
@@ -543,10 +558,11 @@ public class GssContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
+
byte[] ret;
if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
} else {
WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
ret = token.unwrap();
@@ -555,26 +571,81 @@ public class GssContext implements GSSContextSpi {
}
public void getMIC(InputStream is, OutputStream os,
- MessageProp msgProp)
- throws GSSException {
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ try {
+ int len = is.available();
+ byte[] inMsg = new byte[len];
+ is.read(inMsg);
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
+ }
}
public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException {
- return null; // TODO: to be implemented
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
+ }
+ return ret;
}
public void verifyMIC(InputStream is, InputStream msgStr,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ try {
+ int tokLen = is.available();
+ byte[] inTok = new byte[tokLen];
+ int msgLen = msgStr.available();
+ byte[] inMsg = new byte[msgLen];
+
+ verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error when get user data in verifyMIC:" + e.getMessage());
+ }
}
public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
+ }
}
public byte[] export() throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
}
public void dispose() throws GSSException {
@@ -672,3 +743,4 @@ public class GssContext implements GSSContextSpi {
return gssEncryptor;
}
}
+
[04/18] directory-kerby git commit: DIRKRB-560 - Implement
GSSContextSpi interface. Thanks to Wei Zhou.
Posted by co...@apache.org.
DIRKRB-560 - Implement GSSContextSpi interface. Thanks to Wei Zhou.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/06024445
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/06024445
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/06024445
Branch: refs/heads/trunk
Commit: 060244450a7fbf83fd59d7c63068339384aa6d45
Parents: 2c1f222
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:46:39 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:47:04 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 610 +++++++++++++++++++
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 22 +-
2 files changed, 623 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/06024445/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
new file mode 100644
index 0000000..e017683
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -0,0 +1,610 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import com.sun.security.jgss.InquireType;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.response.ApResponse;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.ChannelBinding;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.Provider;
+
+@SuppressWarnings("PMD")
+public class KerbyContext implements GSSContextSpi {
+
+ private static final int STATE_NONE = 0;
+ private static final int STATE_ESTABLISHING = 1;
+ private static final int STATE_ESTABLISHED = 2;
+ private static final int STATE_DESTROYED = 3;
+
+ private int ctxState = STATE_NONE;
+
+ private final GSSCaller caller;
+ private KerbyCredElement myCred;
+ private boolean initiator;
+ private KerbyNameElement myName;
+ private KerbyNameElement peerName;
+ private int lifeTime;
+ private ChannelBinding channelBinding;
+
+ private boolean mutualAuth = true;
+ private boolean replayDet = true;
+ private boolean sequenceDet = true;
+ private boolean credDeleg = false;
+ private boolean confState = true;
+ private boolean integState = true;
+ private boolean delegPolicy = false;
+
+ public static final int INVALID_KEY = 0;
+ public static final int SESSION_KEY = 1;
+ public static final int INITIATOR_SUBKEY = 2;
+ public static final int ACCEPTOR_SUBKEY = 4;
+ private int keyComesFrom = INVALID_KEY;
+
+ private EncryptionKey sessionKey; // used between client and app server
+ private TicketFlags ticketFlags;
+ private ApReq outApReq;
+
+ // Called on initiator's side.
+ public KerbyContext(GSSCaller caller, KerbyNameElement peerName, KerbyCredElement myCred,
+ int lifeTime)
+ throws GSSException {
+ if (peerName == null) {
+ throw new IllegalArgumentException("Cannot have null peer name");
+ }
+
+ this.caller = caller;
+ this.peerName = peerName;
+ this.myCred = myCred;
+ this.lifeTime = lifeTime;
+ this.initiator = true;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public KerbyContext(GSSCaller caller, KerbyAcceptCred myCred)
+ throws GSSException {
+ this.caller = caller;
+ this.myCred = myCred;
+ this.initiator = false;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public KerbyContext(GSSCaller caller, byte[] interProcessToken)
+ throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported feature");
+ }
+
+ public Provider getProvider() {
+ return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ }
+
+ public void requestLifetime(int lifeTime) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ this.lifeTime = lifeTime;
+ }
+ }
+
+ public void requestMutualAuth(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ mutualAuth = state;
+ }
+ }
+
+ public void requestReplayDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestSequenceDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestCredDeleg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator() && myCred == null) {
+ credDeleg = state;
+ }
+ }
+
+ public void requestAnonymity(boolean state) throws GSSException {
+ // anonymous context not supported
+ }
+
+ public void requestConf(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ confState = state;
+ }
+ }
+
+ public void requestInteg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ integState = state;
+ }
+ }
+
+ public void requestDelegPolicy(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ delegPolicy = state;
+ }
+ }
+
+ public void setChannelBinding(ChannelBinding cb) throws GSSException {
+ this.channelBinding = cb;
+ }
+
+ public boolean getCredDelegState() {
+ return credDeleg;
+ }
+
+ public boolean getMutualAuthState() {
+ return mutualAuth;
+ }
+
+ public boolean getReplayDetState() {
+ return replayDet || sequenceDet;
+ }
+
+ public boolean getSequenceDetState() {
+ return sequenceDet;
+ }
+
+ public boolean getAnonymityState() {
+ return false;
+ }
+
+ public boolean getDelegPolicyState() {
+ return delegPolicy;
+ }
+
+ public boolean isTransferable() throws GSSException {
+ return false;
+ }
+
+ public boolean isProtReady() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public boolean isInitiator() {
+ return initiator;
+ }
+
+ public boolean getConfState() {
+ return confState;
+ }
+
+ public boolean getIntegState() {
+ return integState;
+ }
+
+ public int getLifetime() {
+ return GSSContext.INDEFINITE_LIFETIME;
+ }
+
+ public boolean isEstablished() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public GSSNameSpi getSrcName() throws GSSException {
+ return isInitiator() ? myName : peerName;
+ }
+
+ public GSSNameSpi getTargName() throws GSSException {
+ return !isInitiator() ? myName : peerName;
+ }
+
+ public Oid getMech() throws GSSException {
+ return KerbyMechFactory.getOid();
+ }
+
+ public GSSCredentialSpi getDelegCred() throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "API not implemented"); // TODO:
+ }
+
+ public byte[] initSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ if (!isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "initSecContext called on acceptor");
+ }
+
+ byte[] ret = null;
+
+ if (ctxState == STATE_NONE) {
+
+ if (!myCred.isInitiatorCredential()) {
+ throw new GSSException(GSSException.NO_CRED, -1, "No TGT available");
+ }
+
+ // check if service ticket already exists
+ // if not, prepare to get it through TGS_REQ
+ SgtTicket sgtTicket = null;
+ String serviceName = peerName.getPrincipalName().getName();
+ myName = (KerbyNameElement) myCred.getName();
+ PrincipalName clientPrincipal = myName.getPrincipalName();
+
+ sgtTicket = KerbyUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
+
+ if (sgtTicket == null) {
+ sgtTicket = KerbyUtil.applySgtCredential(((KerbyInitCred) myCred).ticket, serviceName);
+
+ // add this service credential to context
+ final KerberosTicket ticket =
+ KerbyUtil.convertKrbTicketToKerberosTicket(sgtTicket, myName.getPrincipalName().getName());
+ CredUtils.addCredentialToSubject(ticket);
+ }
+
+ ApRequest apRequest = new ApRequest(clientPrincipal, sgtTicket);
+ try {
+ outApReq = apRequest.getApReq();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
+ }
+ setupInitiatorContext(sgtTicket, apRequest);
+ try {
+ ret = outApReq.encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
+ }
+
+ ctxState = STATE_ESTABLISHING;
+ if (!getMutualAuthState()) {
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ } else if (ctxState == STATE_ESTABLISHING) {
+ verifyServerToken(is, mechTokenSize);
+ outApReq = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+ return ret;
+ }
+
+ private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException {
+ EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart();
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ setTicketFlags(ticketFlags);
+
+ setAuthTime(encKdcRepPart.getAuthTime().toString());
+
+ Authenticator auth;
+ try {
+ auth = apRequest.getApReq().getAuthenticator();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator");
+ }
+ setMySequenceNumber(auth.getSeqNumber());
+
+ EncryptionKey subKey = auth.getSubKey();
+ if (subKey != null) {
+ setSessionKey(subKey, KerbyContext.INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(sgt.getSessionKey(), KerbyContext.SESSION_KEY);
+ }
+
+ if (!getMutualAuthState()) {
+ setPeerSequenceNumber(0);
+ }
+ }
+
+ /**
+ * Verify the AP_REP from server and set context accordingly
+ * @param is
+ * @param mechTokenSize
+ * @return
+ * @throws GSSException
+ * @throws IOException
+ */
+ private void verifyServerToken(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token = new byte[mechTokenSize];
+ ApRep apRep;
+ try {
+ is.read(token);
+ apRep = new ApRep();
+ apRep.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep " + e.getMessage());
+ }
+
+ try {
+ ApResponse.validate(getSessionKey(), apRep, outApReq);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApRep verification failed");
+ }
+
+ EncryptionKey key = apRep.getEncRepPart().getSubkey();
+ if (key != null) {
+ setSessionKey(key, ACCEPTOR_SUBKEY);
+ }
+
+ int seqNum = apRep.getEncRepPart().getSeqNumber();
+ setPeerSequenceNumber(seqNum == -1 ? 0 : seqNum);
+ }
+
+ public byte[] acceptSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] ret = null;
+
+ if (isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "acceptSecContext called on initiator");
+ }
+
+ if (ctxState == STATE_NONE) {
+ ctxState = STATE_ESTABLISHING;
+ if (!myCred.isAcceptorCredential()) {
+ throw new GSSException(GSSException.FAILURE, -1, "No acceptor credential available");
+ }
+
+ KerbyAcceptCred acceptCred = (KerbyAcceptCred) myCred;
+ CredUtils.checkPrincipalPermission(
+ ((KerbyNameElement) acceptCred.getName()).getPrincipalName().getName(), "accept");
+
+ if (getMutualAuthState()) {
+ ret = verifyClientToken(acceptCred, is, mechTokenSize);
+ }
+
+ myCred = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ return ret;
+ }
+
+ private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token = new byte[mechTokenSize];
+ ApReq apReq;
+ try {
+ is.read(token);
+ apReq = new ApReq();
+ apReq.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid" + e.getMessage());
+ }
+
+ int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
+ int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
+
+ // Get server key from credential
+ EncryptionKey serverKey = KerbyUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
+ if (serverKey == null) {
+ throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
+ }
+
+ try {
+ ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
+ }
+
+ ApResponse apResponse = new ApResponse(apReq);
+ ApRep apRep;
+ try {
+ apRep = apResponse.getApRep();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "Generate ApRep failed");
+ }
+
+ EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart();
+
+ EncryptionKey ssKey = apReqTicketEncPart.getKey();
+ Authenticator auth = apReq.getAuthenticator();
+ EncryptionKey subKey = auth.getSubKey();
+
+ if (subKey != null) {
+ setSessionKey(subKey, INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(ssKey, SESSION_KEY);
+ }
+
+ // initial seqNumber
+ int seqNumber = auth.getSeqNumber();
+ setMySequenceNumber(seqNumber);
+ // initial authtime, tktflags, authdata,
+ setAuthTime(apReqTicketEncPart.getAuthTime().toString());
+ setTicketFlags(apReqTicketEncPart.getFlags());
+ setAuthData(apReqTicketEncPart.getAuthorizationData());
+
+ byte[] ret = null;
+ try {
+ ret = apRep.encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
+ }
+ return ret;
+ }
+
+ public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
+ throws GSSException {
+ return 65536; // TODO: to be implemented
+ }
+
+ public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
+ throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ }
+
+ public byte[] wrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ return null; // TODO: to be implemented
+ }
+
+ public void unwrap(InputStream is, OutputStream os,
+ MessageProp msgProp) throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ }
+
+ public byte[] unwrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+ return null; // TODO: to be implemented
+ }
+
+ public void getMIC(InputStream is, OutputStream os,
+ MessageProp msgProp)
+ throws GSSException {
+ }
+
+ public byte[] getMIC(byte[] inMsg, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ return null; // TODO: to be implemented
+ }
+
+ public void verifyMIC(InputStream is, InputStream msgStr,
+ MessageProp msgProp) throws GSSException {
+ }
+
+ public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
+ byte[] inMsg, int msgOffset, int msgLen,
+ MessageProp msgProp) throws GSSException {
+ }
+
+ public byte[] export() throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+ }
+
+ public void dispose() throws GSSException {
+ ctxState = STATE_DESTROYED;
+ setSessionKey(null, 0);
+ peerName = null;
+ myCred = null;
+ myName = null;
+ }
+
+
+ private String authTime;
+ private void setAuthTime(String authTime) {
+ this.authTime = authTime;
+ }
+
+ public Object inquireSecContext(InquireType type) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Invalid context");
+ }
+
+ switch (type) {
+ case KRB5_GET_SESSION_KEY:
+ return getSessionKey();
+ case KRB5_GET_TKT_FLAGS:
+ return KerbyUtil.ticketFlagsToBooleans(ticketFlags);
+ case KRB5_GET_AUTHZ_DATA:
+ if (isInitiator()) {
+ throw new GSSException(GSSException.UNAVAILABLE, -1,
+ "Authorization data not available for initiator");
+ } else {
+ return KerbyUtil.kerbyAuthorizationDataToJgssAuthorizationDataEntries(authData);
+ }
+ case KRB5_GET_AUTHTIME:
+ return authTime;
+ }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported inquire type");
+ }
+
+
+ // functions not belong to SPI
+ private void setSessionKey(EncryptionKey encryptionKey, int keyComesFrom) {
+ this.sessionKey = encryptionKey;
+ this.keyComesFrom = keyComesFrom;
+ }
+
+ public int getKeyComesFrom() {
+ return keyComesFrom;
+ }
+
+ private EncryptionKey getSessionKey() {
+ return sessionKey;
+ }
+
+ private void setTicketFlags(TicketFlags ticketFlags) {
+ this.ticketFlags = ticketFlags;
+ }
+
+ private AuthorizationData authData;
+ private void setAuthData(AuthorizationData authData) {
+ this.authData = authData;
+ }
+
+
+ private int mySequenceNumber;
+ private int peerSequenceNumber;
+ private Object mySequenceNumberLock;
+ private Object peerSequenceNumberLock;
+
+ public void setMySequenceNumber(int sequenceNumber) {
+ synchronized (mySequenceNumberLock) {
+ mySequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incMySequenceNumber() {
+ synchronized (mySequenceNumberLock) {
+ return mySequenceNumber++;
+ }
+ }
+
+ public void setPeerSequenceNumber(int sequenceNumber) {
+ synchronized (peerSequenceNumberLock) {
+ peerSequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incPeerSequenceNumber() {
+ synchronized (peerSequenceNumberLock) {
+ return peerSequenceNumber++;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/06024445/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
index 61eeb8d..a5abb46 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
@@ -38,6 +38,7 @@ import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
import javax.crypto.SecretKey;
import javax.security.auth.kerberos.KerberosKey;
@@ -183,6 +184,18 @@ public class KerbyUtil {
}
/**
+ * Scan current context for SgtTicket
+ * @param client
+ * @param service
+ * @return
+ */
+ public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
+ throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
+ return getSgtTicketFromKerberosTicket(ticket);
+ }
+
+ /**
* Construct a SgtTicket from KerberosTicket
* @param kerberosTicket
* @return
@@ -284,15 +297,6 @@ public class KerbyUtil {
return ticket;
}
- public static byte[] getAPRequest(PrincipalName clientPricipal, SgtTicket sgt) throws GSSException {
- ApRequest apRequest = new ApRequest(clientPricipal, sgt);
- try {
- return apRequest.getApReq().encode();
- } catch (Exception e) { // IOExcetpion, KrbException
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
- }
- }
-
public static KrbClientBase getKrbClient() {
KrbClientBase client;
try {